{ "id": "yFPHgzz31QViOb19", "name": "AI SOC SOPHOS", "tags": [], "nodes": [ { "id": "67fbedd3-c1f2-4efb-9b98-769eb9fe07ad", "name": "Webhook", "type": "n8n-nodes-base.webhook", "position": [ -240, -180 ], "parameters": { "path": "replace-with-your-webhook-path", "options": {}, "httpMethod": "POST" }, "typeVersion": 2 }, { "id": "d6ac962c-f117-468b-867d-0f4943742cbd", "name": "If", "type": "n8n-nodes-base.if", "position": [ -20, -180 ], "parameters": { "options": {}, "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "or", "conditions": [ { "id": "9ed981f2-c77a-4a3b-bf57-d5a9d93708f8", "operator": { "type": "string", "operation": "regex" }, "leftValue": "={{ $json.body.event.severity }}", "rightValue": "high|critical" }, { "id": "fd811333-cce8-499b-bd27-411cec0641e2", "operator": { "type": "string", "operation": "contains" }, "leftValue": "={{ $json.body.event.type }}", "rightValue": "Event::Endpoint::Threat" }, { "id": "872198a1-0a59-482d-b5f9-4c2ffd48dcdc", "operator": { "type": "string", "operation": "contains" }, "leftValue": "={{ $json.body.event.type }}", "rightValue": "Event::Endpoint::WebControlViolation" }, { "id": "f472f90d-ce54-456b-958f-ebb5af4ad70b", "operator": { "type": "string", "operation": "contains" }, "leftValue": "={{ $json.body.event.type }}", "rightValue": "Event::Endpoint::WebFilteringBlocked" } ] } }, "typeVersion": 2.2 }, { "id": "5fc88577-6634-4a19-812d-af5b9698686a", "name": "Google Gemini Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatGoogleGemini", "position": [ 880, 40 ], "parameters": { "options": {} }, "typeVersion": 1 }, { "id": "206432d6-e7d3-438e-95ad-afdbaf412b41", "name": "Send a text message", "type": "n8n-nodes-base.telegram", "position": [ 1220, -180 ], "parameters": { "text": "=\ud83d\udea8 *PERINGATAN KEAMANAN {{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).risk_level.toUpperCase() }}* \ud83d\udea8\n\n*Ancaman Terdeteksi:* `{{ $('Webhook').item.json.body.event.name }}`\n\n_{{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).summary }}_\n\n*Laporan VirusTotal ({{ $('Code').item.json.indicator_value }}):*\nDideteksi oleh {{ $('For_Gemini_Prompt').item.json.totalFlags }} mesin keamanan. Vendor yang menandai:\n{{ $node[\"For_Gemini_Prompt\"].json.vendorsListText }}\n\n*\u2699\ufe0f Rekomendasi Mitigasi (oleh Gemini AI):*\n{{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).mitigation_steps.map((step, index) => `${index + 1}. ${step}`).join('\\n') }}", "chatId": "YOUR_CHAT_ID", "additionalFields": {} }, "typeVersion": 1.2 }, { "id": "c434340f-dbf1-43d9-91a7-9dc0dd1d8fbe", "name": "Code", "type": "n8n-nodes-base.code", "position": [ 200, -180 ], "parameters": { "jsCode": "// Mengambil data event dari input\nconst event = $input.item.json.body.event;\n\n// Fungsi baru untuk mengekstrak DOMAIN dari dalam field 'name'\nconst extractDomainFromName = (nameField) => {\n \u00a0if (!nameField || typeof nameField !== 'string') { return null; }\n \u00a0// Memecah teks berdasarkan karakter '\"'\n \u00a0const parts = nameField.split('\"');\n \u00a0// Domain biasanya adalah bagian kedua (indeks 1)\n \u00a0if (parts.length >= 2) {\n \u00a0 \u00a0const potentialDomain = parts[1];\n \u00a0 \u00a0// Cek sederhana, jika mengandung titik, kita anggap itu domain\n \u00a0 \u00a0if (potentialDomain.includes('.')) {\n \u00a0 \u00a0 \u00a0return potentialDomain;\n \u00a0 \u00a0}\n \u00a0}\n \u00a0return null;\n};\n\n// Coba ekstrak domain dari field 'name'\nconst domainFromName = extractDomainFromName(event.name);\n\nlet finalUrl = \"\";\nlet indicatorType = \"\";\nlet indicatorValue = \"\";\n\n// --- LOGIKA PRIORITAS BARU ---\n\n// 1. Cek hash file\nif (event?.data?.sha256) {\n \u00a0indicatorType = \"file\";\n \u00a0indicatorValue = event.data.sha256;\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/files/${indicatorValue}`;\n} \n// 2. Cek DOMAIN (bukan URL lagi)\nelse if (domainFromName) {\n \u00a0indicatorType = \"domain\";\n \u00a0indicatorValue = domainFromName;\n \u00a0// Menggunakan endpoint DOMAIN di VirusTotal\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/domains/${indicatorValue}`;\n}\n// 3. Cek Alamat IP\nelse if (event?.source_ip) {\n \u00a0indicatorType = \"ip\";\n \u00a0indicatorValue = event.source_ip;\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/ip_addresses/${indicatorValue}`;\n}\n\n// Pastikan kita punya URL untuk diperiksa\nif (!finalUrl) {\n \u00a0throw new Error(\"Tidak ada indikator (sha256, domain, atau source_ip) yang ditemukan.\");\n}\n\n// Kembalikan objek terstruktur untuk digunakan di node selanjutnya\nreturn {\n \u00a0url_to_check: finalUrl,\n \u00a0indicator_type: indicatorType,\n \u00a0indicator_value: indicatorValue\n};" }, "typeVersion": 2 }, { "id": "cab1af6a-bc38-4148-af28-cb16c289b631", "name": "AI Agent", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ 860, -180 ], "parameters": { "text": "=Anda adalah seorang Analis Keamanan Jaringan Senior yang sangat teliti dan berbasis fakta juga mendalami Security Operation Center (SOC).\n\nPENTING: Gunakan HANYA data yang tersedia dari log dan data reputasi. Jangan menambahkan, mengubah, atau mengasumsikan detail seperti alamat IP, Url, maupun Sha256. Selalu gunakan alamat IP, Url, maupun Sha256 yang sama persis seperti yang tertera di input.\n\nAnalisis data event IPS dari FortiGate dan data reputasi IP dari VirusTotal berikut.\n\nData Log Sophos:\n{{ $('If').item.json.body }}\n\nData Reputasi VirusTotal untuk{{ $('Code').item.json.indicator_value }} :\n{{ JSON.stringify($node[\"Virus_Total\"].json.data.attributes.last_analysis_stats) }}\n\nTugas Anda: Berikan output HANYA dalam format JSON yang valid dengan kunci berikut:\n- \"event\" : {{ $('If').item.json.body.event.name }}\n- \"summary\": Ringkasan insiden dalam 1-2 kalimat singkat.\n- \"risk_level\": {{ $('Webhook').item.json.body.event.severity }} dan Pilih salah satu: 'Kritis', 'Tinggi'.\n- \"ip_reputation, url atau sha256\": Deskripsi singkat reputasi berdasarkan data VirusTotal{{ $json.vendorsListText \u00a0}}{{ $json.reputationSummaryForGemini }}.\n- \"affected_internal_ip\": Ulangi nilai \"{{ $('Webhook').item.json.body.event.source_info.ip }} dengan User {{ $('Webhook').item.json.body.event.suser }} dan host pc {{ $('Webhook').item.json.body.event.dhost }}\" dari \"Data Log Sophos\" di sini tanpa perubahan.\n- \"mitigation_steps\": Array of strings berisi 3 rekomendasi utama yang spesifik dan bisa dijalankan.", "options": {}, "promptType": "define" }, "typeVersion": 2 }, { "id": "461d4e12-c62c-49ac-8fe1-f687d993de20", "name": "For_Gemini_Prompt", "type": "n8n-nodes-base.code", "position": [ 640, -180 ], "parameters": { "jsCode": "// KODE UNTUK NODE \"Format Hasil VT\"\n\n// Mengambil output JSON dari node VirusTotal sebelumnya\nconst vtData = $input.item.json;\nconst detailedResults = vtData.data?.attributes?.last_analysis_results || {};\n\nconst flaggingVendors = [];\nlet totalFlags = 0;\n\n// Loop melalui setiap hasil vendor\nfor (const vendor in detailedResults) {\n \u00a0const result = detailedResults[vendor];\n \u00a0// Cek jika kategori-nya berbahaya atau mencurigakan\n \u00a0if (result.category === 'malicious' || result.category === 'suspicious') {\n \u00a0 \u00a0totalFlags++;\n \u00a0 \u00a0// Format: - `NamaVendor`: *malicious*\n \u00a0 \u00a0flaggingVendors.push(`- \\`${vendor}\\`: *${result.category}*`);\n \u00a0}\n}\n\n// Buat teks daftar vendor, atau pesan default jika kosong\nconst vendorsListText = flaggingVendors.length > 0\n \u00a0? flaggingVendors.join('\\n')\n \u00a0: \"Tidak ada vendor yang menandai sebagai berbahaya.\";\n\n// Buat ringkasan singkat untuk dikirim ke Gemini\nconst reputationSummaryForGemini = `Indikator ini ditandai sebagai berbahaya/mencurigakan oleh ${totalFlags} vendor keamanan di VirusTotal.`;\n\n// Kembalikan semua data yang sudah diformat\nreturn {\n \u00a0vendorsListText: vendorsListText,\n \u00a0reputationSummaryForGemini: reputationSummaryForGemini,\n \u00a0totalFlags: totalFlags\n};" }, "typeVersion": 2 }, { "id": "0a97c373-db22-4ec4-ab40-b4992bf9ef2f", "name": "Virus_Total", "type": "n8n-nodes-base.httpRequest", "position": [ 420, -180 ], "parameters": { "url": "={{ $json.url_to_check }}", "options": {}, "authentication": "genericCredentialType", "genericAuthType": "httpHeaderAuth" }, "typeVersion": 4.2 }, { "id": "6a6b3013-bf04-4f30-9e6d-0d790e451c38", "name": "Simple Memory", "type": "@n8n/n8n-nodes-langchain.memoryBufferWindow", "position": [ 1000, 40 ], "parameters": { "sessionKey": "={{ $('Webhook').item.json.body.event.customer_id }}", "sessionIdType": "customKey" }, "typeVersion": 1.3 } ], "active": true, "settings": { "executionOrder": "v1" }, "connections": { "If": { "main": [ [ { "node": "Code", "type": "main", "index": 0 } ] ] }, "Code": { "main": [ [ { "node": "Virus_Total", "type": "main", "index": 0 } ] ] }, "Webhook": { "main": [ [ { "node": "If", "type": "main", "index": 0 } ] ] }, "AI Agent": { "main": [ [ { "node": "Send a text message", "type": "main", "index": 0 } ] ] }, "Virus_Total": { "main": [ [ { "node": "For_Gemini_Prompt", "type": "main", "index": 0 } ] ] }, "Simple Memory": { "ai_memory": [ [ { "node": "AI Agent", "type": "ai_memory", "index": 0 } ] ] }, "For_Gemini_Prompt": { "main": [ [ { "node": "AI Agent", "type": "main", "index": 0 } ] ] }, "Google Gemini Chat Model": { "ai_languageModel": [ [ { "node": "AI Agent", "type": "ai_languageModel", "index": 0 } ] ] } } }