{ "name": "WF6 \u2014 SecureVault Security Alert Notifications", "nodes": [ { "parameters": { "httpMethod": "POST", "path": "securevault/security-alert", "responseMode": "responseNode", "options": {} }, "id": "webhook-alert", "name": "Security Alert Webhook", "type": "n8n-nodes-base.webhook", "typeVersion": 2, "position": [ 220, 400 ] }, { "parameters": { "conditions": { "combinator": "and", "conditions": [ { "leftValue": "={{ $json.headers['x-api-key'] }}", "rightValue": "={{ $env.SV_API_KEY }}", "operator": { "type": "string", "operation": "equals" } } ] } }, "id": "api-key-alert", "name": "Validate API Key", "type": "n8n-nodes-base.if", "typeVersion": 2, "position": [ 440, 400 ] }, { "parameters": { "respondWith": "json", "responseBody": "={ \"status\": \"error\", \"message\": \"Unauthorized\" }", "options": { "responseCode": 401 } }, "id": "reject-alert", "name": "Reject", "type": "n8n-nodes-base.respondToWebhook", "typeVersion": 1, "position": [ 600, 620 ] }, { "parameters": { "jsCode": "const body = $input.first().json.body;\nconst { eventType, email, userId, ip, userAgent, severity, timestamp, executionId } = body;\n\nif (!eventType) throw new Error('eventType required');\n\nconst alertType = eventType.replace('security.', '');\n\nreturn [{\n json: {\n alertType,\n eventType,\n email: (email || '').toLowerCase(),\n userId: userId || 'unknown',\n ip: ip || 'unknown',\n userAgent: (userAgent || '').substring(0, 300),\n severity: severity || 'info',\n timestamp: timestamp || new Date().toISOString(),\n executionId: executionId || $execution.id\n }\n}];" }, "id": "validate-alert", "name": "Parse Alert", "type": "n8n-nodes-base.code", "typeVersion": 2, "position": [ 660, 400 ] }, { "parameters": { "rules": { "values": [ { "outputIndex": 0, "conditions": { "conditions": [ { "leftValue": "={{ $json.alertType }}", "rightValue": "login.failed.3x", "operator": { "type": "string", "operation": "equals" } } ] } }, { "outputIndex": 1, "conditions": { "conditions": [ { "leftValue": "={{ $json.alertType }}", "rightValue": "login.failed.5x", "operator": { "type": "string", "operation": "equals" } } ] } }, { "outputIndex": 1, "conditions": { "conditions": [ { "leftValue": "={{ $json.alertType }}", "rightValue": "account.locked", "operator": { "type": "string", "operation": "equals" } } ] } }, { "outputIndex": 2, "conditions": { "conditions": [ { "leftValue": "={{ $json.alertType }}", "rightValue": "password.changed", "operator": { "type": "string", "operation": "equals" } } ] } } ], "fallbackOutput": 3 } }, "id": "switch-alert", "name": "Route Alert Type", "type": "n8n-nodes-base.switch", "typeVersion": 3.2, "position": [ 900, 400 ] }, { "parameters": { "sendTo": "={{ $json.email }}", "subject": "\u26a0\ufe0f Unusual login activity on your SecureVault account", "emailType": "html", "message": "

\u26a0\ufe0f Security Alert

Unusual Login Activity Detected

We detected multiple failed login attempts on your account.

\ud83d\udccd IP: {{ $json.ip }}
\ud83d\udd50 Time: {{ $json.timestamp }}

If this was you, no action is needed. Otherwise:

Secure Your Account \u2192

SecureVault Security Team

", "options": {} }, "id": "email-3x-warning", "name": "Email: 3x Failed Warning", "type": "n8n-nodes-base.gmail", "typeVersion": 2.1, "position": [ 1180, 200 ], "credentials": { "gmailOAuth2": { "name": "" } } }, { "parameters": { "sendTo": "={{ $json.email }}", "subject": "\ud83d\udd34 Your SecureVault account has been locked", "emailType": "html", "message": "

\ud83d\udd34 Account Locked

Your Account Has Been Temporarily Locked

Due to 5 consecutive failed login attempts, your account has been locked for 15 minutes.

\ud83d\udccd IP: {{ $json.ip }}
\ud83d\udd50 Locked at: {{ $json.timestamp }}

If this wasn't you, reset your password immediately:

Reset Password Now \u2192

SecureVault Security Team

", "options": {} }, "id": "email-locked", "name": "Email: Account Locked", "type": "n8n-nodes-base.gmail", "typeVersion": 2.1, "position": [ 1180, 380 ], "credentials": { "gmailOAuth2": { "name": "" } } }, { "parameters": { "sendTo": "={{ $json.email }}", "subject": "\ud83d\udd11 Your SecureVault password was changed", "emailType": "html", "message": "

\ud83d\udd11 Password Changed

Password Successfully Updated

Your SecureVault password was changed on {{ $json.timestamp }}.

If you did not make this change, reset your password immediately and contact support.

Not you? Secure Account \u2192

SecureVault Security Team

", "options": {} }, "id": "email-pw-changed", "name": "Email: Password Changed", "type": "n8n-nodes-base.gmail", "typeVersion": 2.1, "position": [ 1180, 560 ], "credentials": { "gmailOAuth2": { "name": "" } } }, { "parameters": { "chatId": "={{ $env.ADMIN_TELEGRAM_CHAT_ID }}", "text": "{{ $json.severity === 'critical' ? '\ud83d\udd34' : '\u26a0\ufe0f' }} *SecureVault Security Alert*\n\n\ud83d\udccb Type: `{{ $json.alertType }}`\n\ud83d\udd12 Severity: *{{ $json.severity }}*\n\ud83d\udce7 Email: {{ $json.email }}\n\ud83c\udd94 User: {{ $json.userId }}\n\ud83d\udccd IP: {{ $json.ip }}\n\ud83d\udd50 Time: {{ $json.timestamp }}", "additionalFields": { "parse_mode": "Markdown" } }, "id": "telegram-alert", "name": "Telegram: Alert Admin", "type": "n8n-nodes-base.telegram", "typeVersion": 1.2, "position": [ 1180, 740 ], "credentials": { "telegramApi": { "name": "" } } }, { "parameters": { "operation": "executeQuery", "query": "INSERT INTO sv_security_alerts (execution_id, user_id, email, alert_type, severity, ip_address, created_at)\nVALUES ($1, $2, $3, $4, $5, $6, $7);", "options": { "queryReplacement": "={{ [$json.executionId, $json.userId, $json.email, $json.alertType, $json.severity, $json.ip, $json.timestamp] }}" } }, "id": "rds-alert", "name": "RDS: Log Alert", "type": "n8n-nodes-base.postgres", "typeVersion": 2.5, "position": [ 1440, 400 ], "credentials": { "postgres": { "name": "" } } }, { "parameters": { "documentId": { "__rl": true, "mode": "list", "value": "" }, "sheetName": { "__rl": true, "value": "Security Alerts" }, "columns": { "mappingMode": "defineBelow", "value": { "Timestamp": "={{ $json.timestamp }}", "AlertType": "={{ $json.alertType }}", "Severity": "={{ $json.severity }}", "Email": "={{ $json.email }}", "UserId": "={{ $json.userId }}", "IP": "={{ $json.ip }}", "Status": "active" } }, "options": {} }, "id": "sheets-alert", "name": "Sheets: Log Alert", "type": "n8n-nodes-base.googleSheets", "typeVersion": 4.5, "position": [ 1440, 600 ], "credentials": { "googleSheetsOAuth2Api": { "name": "" } } }, { "parameters": { "respondWith": "json", "responseBody": "={ \"status\": \"success\", \"message\": \"Alert processed.\" }", "options": { "responseCode": 200 } }, "id": "respond-alert", "name": "Respond: Alert Handled", "type": "n8n-nodes-base.respondToWebhook", "typeVersion": 1, "position": [ 1700, 400 ] } ], "connections": { "Security Alert Webhook": { "main": [ [ { "node": "Validate API Key", "type": "main", "index": 0 } ] ] }, "Validate API Key": { "main": [ [ { "node": "Parse Alert", "type": "main", "index": 0 } ], [ { "node": "Reject", "type": "main", "index": 0 } ] ] }, "Parse Alert": { "main": [ [ { "node": "Route Alert Type", "type": "main", "index": 0 }, { "node": "Telegram: Alert Admin", "type": "main", "index": 0 }, { "node": "RDS: Log Alert", "type": "main", "index": 0 }, { "node": "Sheets: Log Alert", "type": "main", "index": 0 } ] ] }, "Route Alert Type": { "main": [ [ { "node": "Email: 3x Failed Warning", "type": "main", "index": 0 } ], [ { "node": "Email: Account Locked", "type": "main", "index": 0 } ], [ { "node": "Email: Password Changed", "type": "main", "index": 0 } ], [ { "node": "Respond: Alert Handled", "type": "main", "index": 0 } ] ] }, "RDS: Log Alert": { "main": [ [ { "node": "Respond: Alert Handled", "type": "main", "index": 0 } ] ] }, "Email: 3x Failed Warning": { "main": [ [ { "node": "Respond: Alert Handled", "type": "main", "index": 0 } ] ] }, "Email: Account Locked": { "main": [ [ { "node": "Respond: Alert Handled", "type": "main", "index": 0 } ] ] }, "Email: Password Changed": { "main": [ [ { "node": "Respond: Alert Handled", "type": "main", "index": 0 } ] ] } }, "settings": { "executionOrder": "v1", "saveManualExecutions": true, "errorWorkflow": "WF8-error-monitor" }, "tags": [ { "name": "SecureVault" }, { "name": "Security" }, { "name": "Alerts" } ], "triggerCount": 1 }