{ "id": "1dSFJgL340NlOBkh", "meta": { "templateCredsSetupCompleted": true }, "name": "Cybersecurity Threat Detection & Alert", "tags": [], "nodes": [ { "id": "b20161b9-009c-4670-9563-377582851b77", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -1152, 96 ], "parameters": { "width": 800, "height": 800, "content": "## Real-time threat detection & incident response\n\nScans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. Detected threats are scored by severity \u2014 critical and high issues trigger immediate multi-channel alerts and incident tickets, while medium and low threats are logged for trend analysis. Every scan closes with an executive summary posted to Slack.\n\n## How it works\n\n1. **Collect** \u2014 Fetches network logs from SIEM, vulnerability scan results, and external threat intel feeds in parallel\n2. **Merge & analyze** \u2014 Combines all data, then detects brute force attacks, malware, critical CVEs, suspicious traffic, and IOC matches\n3. **Route by severity** \u2014 Critical/High threats go to immediate alerting; Medium/Low are logged to the database\n4. **Alert** \u2014 Sends Slack alert, detailed email to SOC, creates a PagerDuty incident, and opens a ticket\n5. **Log** \u2014 Stores Medium/Low threats to SIEM and PostgreSQL for audit trail\n6. **Report** \u2014 Merges all paths and posts a scan summary to the Slack monitoring channel\n\n## Setup steps\n\n1. **SIEM** \u2014 Replace `your-siem-system.com` with your SIEM endpoint in both the log fetch and log write nodes\n2. **Vulnerability scanner** \u2014 Update the scanner URL and replace `YOUR_API_KEY` with your credentials\n3. **Threat intel** \u2014 Add your API key to the threat intelligence feed node header\n4. **PagerDuty** \u2014 Replace `YOUR_PAGERDUTY_KEY` and `YOUR_SERVICE_ID` in the PagerDuty node\n5. **Ticketing** \u2014 Update the ticket URL to your Jira or ServiceNow instance and add `YOUR_TICKET_API_KEY`\n6. **Slack** \u2014 Set the correct channel IDs in both Slack nodes (alerts channel and monitoring channel)\n7. **Email** \u2014 Configure SMTP credentials; update `from` and `to` addresses in the email node\n8. **PostgreSQL** \u2014 Ensure a `threat_log` table exists with columns: severity, type, description, timestamp, action_required" }, "typeVersion": 1 }, { "id": "7c9fbfd3-9663-4ad2-84d2-2dc19cf804da", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -176, 144 ], "parameters": { "color": 4, "width": 440, "height": 876, "content": "## 1. Data collection\n\nTriggers every 15 minutes and fetches network logs, vulnerability scan results, and external threat intelligence feeds in parallel before merging them for analysis." }, "typeVersion": 1 }, { "id": "34565425-c656-4881-928d-32f678ac9cdf", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 304, 352 ], "parameters": { "color": 4, "width": 436, "height": 460, "content": "## 2. Threat analysis\n\nMerges all collected data and runs detection logic to identify brute force attacks, malware signatures, critical vulnerabilities, suspicious traffic patterns, and IOC matches. Each threat is tagged with a severity level." }, "typeVersion": 1 }, { "id": "d929174b-463e-4376-89f0-5a63f282b7f8", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 800, 256 ], "parameters": { "color": 4, "width": 640, "height": 860, "content": "## 3. Alert & remediate\n\nCritical and High threats trigger a Slack alert, a detailed SOC email, a PagerDuty incident, and an incident ticket. Medium and Low threats are logged to SIEM and stored in PostgreSQL." }, "typeVersion": 1 }, { "id": "0a3e7f2b-d06f-45fb-a8dd-33125071246a", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 1488, 336 ], "parameters": { "color": 4, "width": 764, "height": 524, "content": "## 4. Summary report\n\nAll paths merge and a scan summary \u2014 total threats by severity and type \u2014 is posted to the Slack monitoring channel after every run." }, "typeVersion": 1 }, { "id": "5633b4a5-b9cf-44ea-99ea-0dad8156574c", "name": "Schedule Trigger - Every 15 Minutes", "type": "n8n-nodes-base.scheduleTrigger", "position": [ -144, 496 ], "parameters": { "rule": { "interval": [ { "field": "minutes", "minutesInterval": 15 } ] } }, "typeVersion": 1.2 }, { "id": "9de6147c-8a55-4613-913a-604093822d75", "name": "Fetch Network Logs", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 384 ], "parameters": { "url": "https://your-siem-system.com/api/logs", "method": "POST", "options": {}, "sendBody": true, "sendHeaders": true, "bodyParameters": { "parameters": [ { "name": "time_range", "value": "15m" }, { "name": "log_types", "value": "firewall,ids,auth" } ] }, "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "14354e5f-bb8c-4fa7-852c-d82621fc03bd", "name": "Fetch Vulnerability Scan Results", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 592 ], "parameters": { "url": "https://your-vulnerability-scanner.com/api/scan", "method": "POST", "options": {}, "sendBody": true, "sendHeaders": true, "bodyParameters": { "parameters": [ { "name": "scan_type", "value": "quick" }, { "name": "targets", "value": "internal_network" } ] }, "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Bearer YOUR_TOKEN_HERE" } ] } }, "typeVersion": 4.2 }, { "id": "e6b1d20e-48e5-435f-bc96-621f95c6d1a5", "name": "Fetch Threat Intelligence Feed", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 784 ], "parameters": { "url": "https://api.threatintel.com/v1/threats/recent", "options": {}, "sendHeaders": true, "headerParameters": { "parameters": [ { "name": "X-API-Key", "value": "YOUR_THREAT_INTEL_KEY" } ] } }, "typeVersion": 4.2 }, { "id": "52a555e8-19c0-4cc5-99a3-e780ac8cbc7e", "name": "Merge All Threat Data", "type": "n8n-nodes-base.merge", "position": [ 352, 592 ], "parameters": {}, "typeVersion": 3 }, { "id": "2c8301ec-fa9a-4a4e-a7aa-f26357b26cef", "name": "Analyze & Detect Threats", "type": "n8n-nodes-base.code", "position": [ 608, 592 ], "parameters": { "jsCode": "// Threat Detection Logic\nconst items = $input.all();\nconst threats = [];\n\nfor (const item of items) {\n const data = item.json;\n \n // Check for failed login attempts (Brute Force)\n if (data.failed_logins && data.failed_logins > 10) {\n threats.push({\n severity: 'HIGH',\n type: 'Brute Force Attack',\n source: data.source_ip || 'Unknown',\n description: `${data.failed_logins} failed login attempts detected`,\n timestamp: new Date().toISOString(),\n action_required: 'Block IP and notify SOC'\n });\n }\n \n // Check for critical vulnerabilities\n if (data.vulnerabilities) {\n const criticalVulns = data.vulnerabilities.filter(v => v.severity === 'CRITICAL');\n if (criticalVulns.length > 0) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Critical Vulnerability Detected',\n affected_systems: data.hostname || 'Multiple systems',\n description: `${criticalVulns.length} critical vulnerabilities found`,\n timestamp: new Date().toISOString(),\n action_required: 'Immediate patching required'\n });\n }\n }\n \n // Check for suspicious traffic patterns\n if (data.traffic_volume && data.traffic_volume > 10000) {\n threats.push({\n severity: 'MEDIUM',\n type: 'Suspicious Traffic Pattern',\n source: data.source_ip || 'Unknown',\n description: `Abnormal traffic volume: ${data.traffic_volume} requests`,\n timestamp: new Date().toISOString(),\n action_required: 'Investigate and monitor'\n });\n }\n \n // Check for malware signatures\n if (data.malware_detected === true) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Malware Detection',\n affected_systems: data.hostname || 'Unknown',\n description: `Malware signature: ${data.malware_name || 'Unknown'}`,\n timestamp: new Date().toISOString(),\n action_required: 'Isolate system immediately'\n });\n }\n \n // Check threat intelligence matches\n if (data.ioc_match === true) {\n threats.push({\n severity: 'HIGH',\n type: 'IOC Match',\n indicator: data.indicator || 'Unknown',\n description: `Known threat indicator detected: ${data.indicator_type}`,\n timestamp: new Date().toISOString(),\n action_required: 'Block and investigate'\n });\n }\n}\n\nreturn threats.map(threat => ({ json: threat }));" }, "typeVersion": 2 }, { "id": "e9494946-bdcd-41a9-b685-86cb6c5ddfd4", "name": "Check Threat Severity", "type": "n8n-nodes-base.if", "position": [ 848, 592 ], "parameters": { "options": {}, "conditions": { "options": { "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "or", "conditions": [ { "id": "condition-1", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.severity }}", "rightValue": "CRITICAL" }, { "id": "condition-2", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.severity }}", "rightValue": "HIGH" } ] } }, "typeVersion": 2 }, { "id": "9c1414b8-f5cc-47da-a9de-909901adb984", "name": "Send Slack Alert - Critical", "type": "n8n-nodes-base.slack", "position": [ 1088, 464 ], "parameters": { "text": "=\ud83d\udea8 **SECURITY ALERT - {{ $json.severity }}**\n\n**Threat Type:** {{ $json.type }}\n**Source/System:** {{ $json.source || $json.affected_systems || $json.indicator }}\n**Description:** {{ $json.description }}\n**Time Detected:** {{ $json.timestamp }}\n**Action Required:** {{ $json.action_required }}\n\n\u26a0\ufe0f Immediate response required!", "select": "channel", "channelId": { "__rl": true, "mode": "id", "value": "C12345678" }, "otherOptions": {} }, "credentials": { "slackApi": { "name": "" } }, "typeVersion": 2.2 }, { "id": "de4c0273-fa6e-4af0-9495-f78695e7e67f", "name": "Send Email Alert - Detailed", "type": "n8n-nodes-base.emailSend", "position": [ 1088, 672 ], "parameters": { "options": {}, "subject": "=\ud83d\udea8 {{ $json.severity }} Threat Detected: {{ $json.type }}", "toEmail": "user@example.com, user@example.com", "fromEmail": "user@example.com" }, "credentials": { "smtp": { "name": "" } }, "typeVersion": 2.1 }, { "id": "217d7550-3a07-4d86-b8aa-c7013ad4f165", "name": "Create PagerDuty Incident", "type": "n8n-nodes-base.httpRequest", "position": [ 1328, 464 ], "parameters": { "url": "https://api.pagerduty.com/incidents", "method": "POST", "options": {}, "jsonBody": "={\n \"incident\": {\n \"type\": \"incident\",\n \"title\": \"{{ $json.severity }}: {{ $json.type }}\",\n \"service\": {\n \"id\": \"YOUR_SERVICE_ID\",\n \"type\": \"service_reference\"\n },\n \"urgency\": \"high\",\n \"body\": {\n \"type\": \"incident_body\",\n \"details\": \"{{ $json.description }}\\n\\nAction: {{ $json.action_required }}\"\n }\n }\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Token token=YOUR_PAGERDUTY_KEY" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Accept", "value": "application/vnd.pagerduty+json;version=2" } ] } }, "typeVersion": 4.2 }, { "id": "1cc4631b-7d8a-4231-ad8d-c8d70add7faa", "name": "Create Security Ticket", "type": "n8n-nodes-base.httpRequest", "position": [ 1328, 672 ], "parameters": { "url": "https://your-ticketing-system.com/api/tickets", "method": "POST", "options": {}, "jsonBody": "={\n \"title\": \"{{ $json.severity }} Security Threat: {{ $json.type }}\",\n \"description\": \"{{ $json.description }}\\n\\nDetected: {{ $json.timestamp }}\\nAction Required: {{ $json.action_required }}\",\n \"priority\": \"{{ $json.severity === 'CRITICAL' ? 'P1' : 'P2' }}\",\n \"category\": \"Security Incident\",\n \"assigned_to\": \"SOC Team\"\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Bearer YOUR_TOKEN_HERE" }, { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "cc06d7fd-96e9-4e91-b529-80eae70a9787", "name": "Log Medium/Low Threats", "type": "n8n-nodes-base.httpRequest", "position": [ 1088, 896 ], "parameters": { "url": "https://your-siem-system.com/api/events/log", "method": "POST", "options": {}, "jsonBody": "={\n \"event_type\": \"security_threat\",\n \"severity\": \"{{ $json.severity }}\",\n \"threat_type\": \"{{ $json.type }}\",\n \"description\": \"{{ $json.description }}\",\n \"timestamp\": \"{{ $json.timestamp }}\",\n \"source\": \"n8n_threat_detection\"\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "2c5a881f-a51a-41bf-a00e-0f5ddc8beff5", "name": "Store in Database", "type": "n8n-nodes-base.postgres", "position": [ 1344, 896 ], "parameters": { "query": "=INSERT INTO threat_log (severity, type, description, timestamp, action_required)\nVALUES (\n '{{ $json.severity }}',\n '{{ $json.type }}',\n '{{ $json.description }}',\n '{{ $json.timestamp }}',\n '{{ $json.action_required }}'\n);", "options": {}, "operation": "executeQuery" }, "credentials": { "postgres": { "name": "" } }, "typeVersion": 2.5 }, { "id": "8199dd00-b0af-43c3-a5c6-346738debf86", "name": "Merge All Paths", "type": "n8n-nodes-base.merge", "position": [ 1568, 592 ], "parameters": {}, "typeVersion": 3 }, { "id": "81cd1ef3-176a-4c56-b48a-429d24c9f659", "name": "Generate Summary Report", "type": "n8n-nodes-base.code", "position": [ 1808, 592 ], "parameters": { "jsCode": "// Generate Summary Report\nconst items = $input.all();\n\nconst summary = {\n timestamp: new Date().toISOString(),\n total_threats: items.length,\n critical: items.filter(i => i.json.severity === 'CRITICAL').length,\n high: items.filter(i => i.json.severity === 'HIGH').length,\n medium: items.filter(i => i.json.severity === 'MEDIUM').length,\n low: items.filter(i => i.json.severity === 'LOW').length,\n threat_types: [...new Set(items.map(i => i.json.type))],\n status: 'Workflow completed successfully'\n};\n\nreturn [{ json: summary }];" }, "typeVersion": 2 }, { "id": "de5188a7-acc2-48e8-910a-61fdb4f25c7e", "name": "Send Summary to Monitoring Channel", "type": "n8n-nodes-base.slack", "position": [ 2048, 592 ], "parameters": { "text": "=\u2705 **Threat Detection Scan Complete**\n\n**Summary:**\n\u2022 Total Threats: {{ $json.total_threats }}\n\u2022 Critical: {{ $json.critical }}\n\u2022 High: {{ $json.high }}\n\u2022 Medium: {{ $json.medium }}\n\u2022 Low: {{ $json.low }}\n\n**Threat Types Detected:** {{ $json.threat_types.join(', ') }}\n\n**Scan Time:** {{ $json.timestamp }}", "select": "channel", "channelId": { "__rl": true, "mode": "id", "value": "C87654321" }, "otherOptions": {} }, "credentials": { "slackApi": { "name": "" } }, "typeVersion": 2.2 } ], "active": false, "settings": { "executionOrder": "v1" }, "versionId": "1656b525-1944-4d5c-81ab-9a5c3408610d", "connections": { "Merge All Paths": { "main": [ [ { "node": "Generate Summary Report", "type": "main", "index": 0 } ] ] }, "Fetch Network Logs": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 0 } ] ] }, "Check Threat Severity": { "main": [ [ { "node": "Send Slack Alert - Critical", "type": "main", "index": 0 }, { "node": "Send Email Alert - Detailed", "type": "main", "index": 0 } ], [ { "node": "Log Medium/Low Threats", "type": "main", "index": 0 } ] ] }, "Merge All Threat Data": { "main": [ [ { "node": "Analyze & Detect Threats", "type": "main", "index": 0 } ] ] }, "Create Security Ticket": { "main": [ [ { "node": "Merge All Paths", "type": "main", "index": 1 } ] ] }, "Log Medium/Low Threats": { "main": [ [ { "node": "Store in Database", "type": "main", "index": 0 } ] ] }, "Generate Summary Report": { "main": [ [ { "node": "Send Summary to Monitoring Channel", "type": "main", "index": 0 } ] ] }, "Analyze & Detect Threats": { "main": [ [ { "node": "Check Threat Severity", "type": "main", "index": 0 } ] ] }, "Create PagerDuty Incident": { "main": [ [ { "node": "Merge All Paths", "type": "main", "index": 0 } ] ] }, "Send Email Alert - Detailed": { "main": [ [ { "node": "Create Security Ticket", "type": "main", "index": 0 } ] ] }, "Send Slack Alert - Critical": { "main": [ [ { "node": "Create PagerDuty Incident", "type": "main", "index": 0 } ] ] }, "Fetch Threat Intelligence Feed": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 1 } ] ] }, "Fetch Vulnerability Scan Results": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 1 } ] ] }, "Schedule Trigger - Every 15 Minutes": { "main": [ [ { "node": "Fetch Network Logs", "type": "main", "index": 0 }, { "node": "Fetch Vulnerability Scan Results", "type": "main", "index": 0 }, { "node": "Fetch Threat Intelligence Feed", "type": "main", "index": 0 } ] ] } } }