{ "id": "9AQd9r6sPeEbpy2a", "meta": { "templateCredsSetupCompleted": true }, "name": "Automated Vulnerability News Digest with RSS Feed", "tags": [], "nodes": [ { "id": "bf19314a-9ce9-4ecf-9674-4e2d6c75a6ca", "name": "CISA KEV List", "type": "n8n-nodes-base.rssFeedReadTrigger", "position": [ 0, 0 ], "parameters": { "feedUrl": "https://www.cisa.gov/rss/advisories/known-exploited-vulnerabilities.xml", "pollTimes": { "item": [ { "mode": "everyMinute" }, { "hour": 12 } ] } }, "typeVersion": 1 }, { "id": "0d146f40-12ff-41e1-8447-8ffac5ce96dc", "name": "Format Vulnerability Alert", "type": "n8n-nodes-base.code", "position": [ 224, 0 ], "parameters": { "jsCode": "const vulnerabilityTitle = $json.title;\nconst vulnerabilityLink = $json.link;\nconst vulnerabilityDescription = $json.description.replace(/(<([^>]+)>)/ig, '').slice(0, 300) + '...'; // Strip HTML, truncate\n\n// You can add logic here to parse specific details if they are consistently structured in the RSS description.\n// For example, extracting CVE ID if it's always in a specific format.\n\nreturn [{\n json: {\n ...$json, // Keep original data if needed\n alertMessage: `\ud83d\udea8 *New Known Exploited Vulnerability!* \ud83d\udea8\\n\\n*Title:* ${vulnerabilityTitle}\\n*Summary:* ${vulnerabilityDescription}\\n*Learn More:* ${vulnerabilityLink}\\n\\n_Action Required: Review and assess impact._`\n }\n}];" }, "typeVersion": 2 }, { "id": "825444b4-b8d1-44e3-a61a-74380919f8a9", "name": "Is Critical Vulnerability?", "type": "n8n-nodes-base.if", "position": [ 448, 0 ], "parameters": { "options": {}, "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "54899a2f-daf0-48f2-9705-ea819ae75857", "operator": { "type": "string", "operation": "contains" }, "leftValue": "={{ $json.title.toLowerCase() }}", "rightValue": "\"critical\"" } ] } }, "typeVersion": 2.2 }, { "id": "75c8738b-0f46-4cb6-a9a0-c3ffb2a91e0b", "name": "Send Critical Alert", "type": "n8n-nodes-base.slack", "position": [ 672, -96 ], "parameters": { "text": "={{ $json.alertMessage }}", "user": { "__rl": true, "mode": "id", "value": "[YOUR_SECURITY_TEAM_SLACK_CHANNEL_ID]" }, "select": "user", "otherOptions": {} }, "credentials": { "slackApi": { "name": "" } }, "typeVersion": 2.3 }, { "id": "47984814-c736-45f2-8b20-03aa252dd853", "name": "No Operation, do nothing", "type": "n8n-nodes-base.noOp", "position": [ 672, 96 ], "parameters": {}, "typeVersion": 1 }, { "id": "64aa387e-1cd2-4004-b691-a9803fcbf312", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -48, -192 ], "parameters": { "color": 3, "width": 928, "height": 480, "content": "# Flow" }, "typeVersion": 1 }, { "id": "8a13ab3a-b055-40cc-bad2-4875d03aba4b", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -48, 352 ], "parameters": { "color": 5, "width": 928, "height": 864, "content": "# \ud83d\udea8 Automated Vulnerability News Digest \ud83d\udcf0\n\n* **Problem Solved:**\n Cybersecurity teams are constantly battling new threats. A major challenge is the **manual, time-consuming process of monitoring newly disclosed and actively exploited vulnerabilities** from critical sources like CISA's Known Exploited Vulnerabilities (KEV) catalog. Missing a critical vulnerability alert can have severe consequences for an organization's security posture.\n\n* **Solution Overview:**\n This n8n workflow offers a **simple, 5-node automation** designed specifically for proactive vulnerability management. It automatically pulls new vulnerability entries from a trusted RSS feed (such as the CISA KEV list) and delivers **instant, summarized alerts directly to your Slack channel**. This ensures your security team receives timely notifications about critical threats without the burden of manual, continuous monitoring. As an AI Agent developer, this is an efficient solution to a common SME cybersecurity pain point!\n\n* **For Whom:**\n This highly valuable, yet simple, automation is ideal for:\n * **Cybersecurity Operations (SecOps) Teams:** For immediate awareness of actively exploited vulnerabilities.\n * **IT Security Managers:** To quickly assess new risks and prioritize patching efforts.\n * **Incident Response Teams:** To get early warnings about vulnerabilities that might lead to an incident.\n * **Small & Medium Enterprises (SMEs):** That need a straightforward, cost-effective way to enhance their threat intelligence capabilities.\n\n---\n\n### How It Works: The 5-Node Vulnerability Monitoring Flow\n\nThis concise workflow efficiently captures, filters, and delivers crucial cybersecurity vulnerability alerts.\n\n1. **Trigger: CISA KEV List (RSS Feed Node):**\n * **Function:** This is the entry point. It regularly checks a designated RSS feed (pre-configured for CISA's Known Exploited Vulnerabilities catalog) for any new entries.\n * **Process:** When a new vulnerability is added to the feed, it acts as a trigger, initiating the workflow to process that specific vulnerability's information.\n\n2. **Format Vulnerability Alert (Code Node):**\n * **Function:** This node acts as a data processor, taking the raw RSS feed entry and structuring it into a clear, actionable alert message.\n * **Process:** It extracts key details like the vulnerability's title, a summary from its description (stripping HTML for cleanliness), and the direct link for more information. This data is then formatted into a concise `alertMessage` variable.\n\n3. **Is Critical Vulnerability? (If Node):**\n * **Function:** This node provides a quick, conditional check, allowing for basic prioritization of alerts.\n * **Process:** It evaluates the vulnerability's title (or description) for specific keywords (e.g., \"critical,\" \"zero-day,\" \"remote code execution\"). If the vulnerability contains these keywords, it's flagged as \"critical,\" and the workflow proceeds to send an alert. Otherwise, the workflow ends for that entry (or could be routed to a less urgent notification channel).\n\n4. **Send Critical Alert (Slack Node):**\n * **Function:** This is the delivery mechanism, ensuring your security team receives instant and highly visible notifications.\n * **Process:** The formatted `alertMessage` is immediately sent to your designated **Slack channel** (e.g., `#security-alerts` or `#incident-response`), providing real-time awareness.\n\n5. **End Workflow (No-Op Node):**\n * **Function:** This node simply signifies the successful completion of the workflow's execution path for a given vulnerability entry.\n\n---\n\n### How to Set Up\n\nImplementing this essential cybersecurity vulnerability monitor in your n8n instance is quick and straightforward.\n\n1. **Prepare Your Credentials:**\n * **Slack API:** Set up your **Slack credential** in n8n. You'll need to obtain the **Channel ID** of the specific Slack channel where you want your security alerts to be posted (e.g., `#security-alerts`).\n\n2. **Import the Workflow JSON:**\n * **Import:** In your n8n instance, navigate to the \"Workflows\" section. Click the \"New\" or \"+\" icon, then select \"Import from JSON.\" Paste the provided JSON code (from the previous response) into the import dialog and import the workflow.\n\n3. **Configure the Nodes:**\n * **Trigger: CISA KEV List (RSS Feed Node):**\n * The default URL (`https://www.cisa.gov/rss/advisories/known-exploited-vulnerabilities.xml`) is typically correct for CISA KEV.\n * You can adjust the **Polling Interval** if you want to check for new vulnerabilities more or less frequently.\n * **Is Critical Vulnerability? (If Node):**\n * Review the default condition (e.g., `title contains \"critical\"`). You can customize this by adding `OR` conditions for other high-priority keywords (e.g., `\"zero-day\"`, `\"RCE\"`) to precisely define what constitutes a \"critical\" alert for your team.\n * **Send Critical Alert (Slack Node):**\n * Select your configured **Slack Credential**.\n * Replace `[YOUR_SECURITY_TEAM_SLACK_CHANNEL_ID]` with the actual **Channel ID** for your security alert channel.\n\n4. **Test and Activate:**\n * **Manual Test:** Click the \"Test Workflow\" button (usually in the top right corner of the n8n editor). This will execute the workflow once, pulling the latest entries from the RSS feed.\n * **Verify Output:** Check your specified Slack channel. If there are new KEV entries or if recent entries match your \"critical\" criteria, you should see an alert appear.\n * **Activate:** Once you're satisfied that the workflow is correctly configured and working, toggle the \"Active\" switch (usually in the top right corner of the n8n editor) to `ON`. Your workflow will then automatically monitor the CISA KEV list at your set interval, providing continuous vulnerability awareness.\n\n---" }, "typeVersion": 1 } ], "active": false, "settings": { "executionOrder": "v1" }, "versionId": "3a4bc78e-d50e-49b1-aa84-6932c968dd63", "connections": { "CISA KEV List": { "main": [ [ { "node": "Format Vulnerability Alert", "type": "main", "index": 0 } ] ] }, "Format Vulnerability Alert": { "main": [ [ { "node": "Is Critical Vulnerability?", "type": "main", "index": 0 } ] ] }, "Is Critical Vulnerability?": { "main": [ [ { "node": "Send Critical Alert", "type": "main", "index": 0 } ], [ { "node": "No Operation, do nothing", "type": "main", "index": 0 } ] ] } } }