{ "name": "X-n8 AI Analysis Workflow", "nodes": [ { "parameters": {}, "id": "start", "name": "Start", "type": "n8n-nodes-base.manualTrigger", "typeVersion": 1, "position": [ 250, 300 ] }, { "parameters": { "model": "gpt-4", "messages": { "values": [ { "content": "You are the X-n8 Triage Agent. Analyze the following security alert and provide a JSON response with severity_score (0-100), severity_label, confidence (0-1), is_true_positive, summary, mitre_tactics, mitre_techniques, recommended_actions, and escalate_to_xsoar boolean.\n\nAlert Data:\n{{ JSON.stringify($json, null, 2) }}" } ] }, "options": { "temperature": 0.3, "maxTokens": 1000 } }, "id": "openai-analysis", "name": "AI Triage", "type": "@n8n/n8n-nodes-langchain.openAi", "typeVersion": 1, "position": [ 450, 300 ] }, { "parameters": { "jsCode": "// Parse AI response and merge with original alert\nconst alert = $('Start').first().json;\nconst aiResponse = JSON.parse($input.first().json.message.content);\n\nreturn {\n json: {\n ...alert,\n xn8_metadata: {\n correlation_id: alert.alert_id,\n alert_count: 1,\n first_seen: alert.timestamp,\n last_seen: alert.timestamp,\n ai_summary: aiResponse.summary,\n ai_severity_score: aiResponse.severity_score,\n ai_confidence: aiResponse.confidence,\n recommended_actions: aiResponse.recommended_actions,\n mitre_mapping: aiResponse.mitre_techniques,\n is_true_positive: aiResponse.is_true_positive,\n escalate_to_xsoar: aiResponse.escalate_to_xsoar\n }\n }\n};" }, "id": "merge-analysis", "name": "Merge AI Analysis", "type": "n8n-nodes-base.code", "typeVersion": 2, "position": [ 650, 300 ] }, { "parameters": { "conditions": { "number": [ { "value1": "={{ $json.xn8_metadata.ai_severity_score }}", "operation": "largerEqual", "value2": 70 } ] } }, "id": "severity-router", "name": "Route by Severity", "type": "n8n-nodes-base.if", "typeVersion": 1, "position": [ 850, 300 ] }, { "parameters": { "method": "POST", "url": "={{ $env.XSOAR_URL }}/incident", "authentication": "genericCredentialType", "genericAuthType": "httpHeaderAuth", "sendBody": true, "bodyParameters": { "parameters": [ { "name": "name", "value": "={{ 'X-n8: ' + $json.event_type + ' - ' + ($json.entities.host || $json.entities.user || 'Unknown') }}" }, { "name": "severity", "value": "={{ $json.xn8_metadata.ai_severity_score >= 90 ? 4 : $json.xn8_metadata.ai_severity_score >= 70 ? 3 : 2 }}" }, { "name": "type", "value": "={{ $json.event_type }}" }, { "name": "rawJSON", "value": "={{ JSON.stringify($json) }}" } ] } }, "id": "xsoar-create-incident", "name": "Create XSOAR Incident", "type": "n8n-nodes-base.httpRequest", "typeVersion": 4, "position": [ 1050, 200 ] }, { "parameters": { "channel": "#soc-alerts", "text": ":warning: *Low/Medium Alert Auto-Closed*\n*Event:* {{ $json.event_type }}\n*Summary:* {{ $json.xn8_metadata.ai_summary }}\n*Score:* {{ $json.xn8_metadata.ai_severity_score }}/100" }, "id": "slack-notify", "name": "Notify Slack", "type": "n8n-nodes-base.slack", "typeVersion": 2, "position": [ 1050, 400 ] } ], "connections": { "Start": { "main": [ [ { "node": "AI Triage", "type": "main", "index": 0 } ] ] }, "AI Triage": { "main": [ [ { "node": "Merge AI Analysis", "type": "main", "index": 0 } ] ] }, "Merge AI Analysis": { "main": [ [ { "node": "Route by Severity", "type": "main", "index": 0 } ] ] }, "Route by Severity": { "main": [ [ { "node": "Create XSOAR Incident", "type": "main", "index": 0 } ], [ { "node": "Notify Slack", "type": "main", "index": 0 } ] ] } }, "settings": { "executionOrder": "v1" }, "tags": [ "x-n8", "core", "ai-analysis" ] }