{ "id": "UvFBvBrJeZ1ZseEP", "name": "Simple Cybersecurity Brand/Vulnerability Mention Monitor", "tags": [], "nodes": [ { "id": "2517496a-4442-47de-95b8-d4dcd18e41f4", "name": "Monitor: Cybersecurity Keywords", "type": "n8n-nodes-base.twitter", "position": [ -640, -192 ], "parameters": { "limit": 10, "operation": "search", "searchText": "=\"[YourBrandName]\" OR \"CVE-2024-XXXX\" OR \"zeroday\"", "additionalFields": {} }, "credentials": { "twitterOAuth1Api": { "name": "" } }, "typeVersion": 1 }, { "id": "1b59fa1b-0c67-41ce-9727-5a63aca6ca58", "name": "Format Notification", "type": "n8n-nodes-base.code", "position": [ -416, -192 ], "parameters": { "jsCode": "const tweet = $json.text;\nconst user = $json.user.screen_name;\nconst tweetUrl = `https://twitter.com/${user}/status/${$json.id_str}`;\n\n// Basic filtering example (optional):\n// If you want to skip tweets from certain users or containing specific negative words\n// if (tweet.includes(\"irrelevant_ad\")) {\n// return []; // Skip this item\n// }\n\nreturn [{\n json: {\n ...$json, // Keep original data if needed\n notificationMessage: `\ud83d\udea8 New Cybersecurity Mention! \ud83d\udea8\\nUser: @${user}\\nTweet: ${tweet}\\nLink: ${tweetUrl}`\n }\n}];" }, "typeVersion": 1 }, { "id": "e354e454-b75f-431d-a0e7-e03977a05fdd", "name": "End Workflow", "type": "n8n-nodes-base.noOp", "position": [ 32, -96 ], "parameters": {}, "typeVersion": 1 }, { "id": "65258a33-fd0c-4447-ab9d-a9092e2bed00", "name": "Schedule Trigger", "type": "n8n-nodes-base.scheduleTrigger", "position": [ -864, -192 ], "parameters": { "rule": { "interval": [ {} ] } }, "typeVersion": 1.2 }, { "id": "507cf813-506c-4a21-8d90-ddc8c9c5aa1a", "name": "Valid Mention?", "type": "n8n-nodes-base.if", "position": [ -192, -192 ], "parameters": { "options": {}, "conditions": { "options": { "version": 2, "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "and", "conditions": [ { "id": "48d84b7d-bece-407b-90cc-f3ee63b29d0a", "operator": { "type": "string", "operation": "notContains" }, "leftValue": "={{ $json.notificationMessage }}", "rightValue": "\"bot\"" } ] } }, "typeVersion": 2.2 }, { "id": "1e8d6eb7-129a-48cb-b0e7-8e38b2aa1862", "name": "Send Notification", "type": "n8n-nodes-base.slack", "position": [ 32, -288 ], "parameters": { "text": "={{ $json.notificationMessage }}", "user": { "__rl": true, "mode": "id", "value": "[YOUR_CYBERSECURITY_ALERT_CHANNEL_ID]" }, "select": "user", "otherOptions": {} }, "credentials": { "slackApi": { "name": "" } }, "typeVersion": 2.3 }, { "id": "71871b97-dc68-4621-b621-18423e553898", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -912, -368 ], "parameters": { "color": 3, "width": 1168, "height": 448, "content": "## Flow" }, "typeVersion": 1 }, { "id": "82990fea-5ae1-443d-b6e9-2d483f5095d9", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -912, 144 ], "parameters": { "color": 5, "width": 1168, "height": 1712, "content": "# \ud83d\udee1\ufe0f Simple Cybersecurity Brand/Vulnerability Mention Monitor \ud83d\udea8\n\n* **Problem Solved:**\n Many cybersecurity firms or IT teams struggle to stay instantly informed when their brand is mentioned online, or when new, relevant vulnerabilities are being discussed in public forums or social media. Manually monitoring these discussions is **time-consuming, inefficient, and prone to missing critical alerts.**\n\n* **Solution Overview:**\n This n8n workflow provides a streamlined, **5-node automation** to proactively monitor X (formerly Twitter) for specific cybersecurity-related keywords (e.g., your brand name, common CVEs, or general threat terms). Upon detecting a relevant mention, it automatically sends an **instant notification to your Slack channel**. This ensures your team is always aware of public discussions that could impact reputation, security posture, or require rapid response.\n\n* **For Whom:**\n This workflow is perfect for:\n * **Cybersecurity Teams & Analysts:** To stay updated on threat intelligence and brand perception.\n * **IT Operations & Security Teams:** For quick alerts on potential vulnerabilities affecting their stack.\n * **Brand Managers in Tech:** To monitor brand reputation and mentions in the security space.\n * **Small & Medium Enterprises (SMEs):** Looking for a cost-effective way to implement basic, yet crucial, external threat monitoring.\n\n---\n\n### How It Works: The 5-Node Monitoring Flow\n\nThis concise workflow efficiently captures, filters, and delivers crucial cybersecurity-related mentions.\n\n1. **Monitor: Cybersecurity Keywords (X/Twitter Trigger):**\n * **Function:** This is the entry point. It continuously polls X (Twitter) for tweets that contain specific keywords you define (e.g., your company name, \"Log4j,\" \"CVE-2024-XXXX,\" \"ransomware\").\n * **Process:** As soon as a tweet matching your query is found, it triggers the workflow to begin processing that information.\n\n2. **Format Notification (Code Node):**\n * **Function:** This node acts as a data preparer, extracting key details from the raw tweet and structuring them into a clear, actionable message.\n * **Process:** It pulls out the tweet's text, the user's handle (`@screen_name`), and the direct URL to the tweet. It then combines these into a concise `notificationMessage` that is easy to read. You can also add basic filtering logic here if needed.\n\n3. **Valid Mention? (If Node):**\n * **Function:** This node serves as a quick, simple filter to reduce noise and prevent irrelevant alerts.\n * **Process:** It checks the `notificationMessage` for specific conditions (e.g., ensuring it doesn't contain common spam words like \"bot\"). If the mention passes this basic validation, it proceeds. If not, the workflow quietly ends for that particular tweet.\n\n4. **Send Notification (Slack Node):**\n * **Function:** This is the delivery mechanism for your alerts, ensuring your team gets instant, visible notifications.\n * **Process:** The `notificationMessage` is sent directly to your designated **Slack channel** (e.g., `#cyber-alerts` or `#security-ops`).\n\n5. **End Workflow (No-Op Node):**\n * **Function:** This node simply marks the successful completion of the workflow's execution path, whether a notification was sent or filtered out.\n\n---\n\n### How to Set Up\n\nImplementing this simple cybersecurity monitor in your n8n instance is quick and straightforward.\n\n1. **Prepare Your Credentials:**\n * **X (Twitter) API:** Ensure you have an X (Twitter) developer account, have created an application, and have your Consumer Key/Secret and Access Token/Secret ready to set up your **Twitter credential** in n8n.\n * **Slack API:** Set up your **Slack credential** in n8n. You'll also need the **Channel ID** of the Slack channel where you want the security alerts to be posted (e.g., `#security-alerts`).\n\n2. **Import the Workflow JSON:**\n * In your n8n instance, navigate to the \"Workflows\" section.\n * Click the \"New\" or \"+\" icon, then select \"Import from JSON.\"\n * Paste the provided JSON code into the import dialog and import the workflow.\n\n3. **Configure the Nodes:**\n * **Monitor: Cybersecurity Keywords (X/Twitter):**\n * Select your newly created **Twitter Credential**.\n * **CRITICAL:** Modify the **\"Query\"** parameter to include your specific brand names, relevant CVEs, or general cybersecurity terms. For example: `\"YourCompany\" OR \"CVE-2024-1234\" OR \"phishing alert\"`. Use `OR` to combine terms.\n * **Send Notification (Slack):**\n * Select your **Slack Credential**.\n * Replace `\"YOUR_SLACK_CHANNEL_ID\"` with the actual **Channel ID** you noted for your security alerts.\n * *(Optional: Adjust the \"Valid Mention?\" node's condition if you find specific patterns of false positives in your search results.)*\n\n4. **Test and Activate:**\n * **Manual Test:** Click the \"Test Workflow\" button in the n8n editor. This will execute the workflow once.\n * **Verify Output:** Check your specified Slack channel to confirm that any detected mentions are sent as notifications in the correct format.\n * **Activate:** Once you're satisfied with the test results, toggle the \"Active\" switch (usually in the top right corner of the editor) to `ON`. Your workflow will now automatically monitor X (Twitter) at the specified polling interval.\n\n---" }, "typeVersion": 1 } ], "active": false, "settings": { "executionOrder": "v1" }, "versionId": "74a9e109-0669-4e2f-b427-89d31880e4f8", "connections": { "Valid Mention?": { "main": [ [ { "node": "Send Notification", "type": "main", "index": 0 } ], [ { "node": "End Workflow", "type": "main", "index": 0 } ] ] }, "Schedule Trigger": { "main": [ [ { "node": "Monitor: Cybersecurity Keywords", "type": "main", "index": 0 } ] ] }, "Format Notification": { "main": [ [ { "node": "Valid Mention?", "type": "main", "index": 0 } ] ] }, "Monitor: Cybersecurity Keywords": { "main": [ [ { "node": "Format Notification", "type": "main", "index": 0 } ] ] } } }