The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"name": "AI Alert Triage Workflow",
"meta": {
"description": "AI-powered alert triage that analyzes security alerts, assigns priority scores, maps to MITRE ATT&CK, and routes critical alerts to dedicated Slack channels.",
"version": "1.0.0",
"author": "AI for the Win",
"disclaimer": "EXAMPLE TEMPLATE - Configure credentials and test before production use"
},
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "alert-triage",
"responseMode": "responseNode",
"options": {}
},
"id": "webhook",
"name": "Alert Webhook",
"type": "n8n-nodes-base.webhook",
"typeVersion": 1,
"position": [
250,
300
]
},
{
"parameters": {
"model": "claude-sonnet-4-20250514",
"prompt": "You are a security alert triage analyst. Analyze the following alert and provide:\n\n1. Priority Score (1-10, where 10 is most critical)\n2. Classification (True Positive Likely, False Positive Likely, Needs Investigation)\n3. Brief explanation (2-3 sentences)\n4. Recommended immediate actions\n5. MITRE ATT&CK techniques if applicable\n\nAlert Data:\n{{ JSON.stringify($json) }}\n\nRespond in JSON format:\n{\n \"priority\": <number>,\n \"classification\": \"<string>\",\n \"explanation\": \"<string>\",\n \"actions\": [\"<action1>\", \"<action2>\"],\n \"mitre_techniques\": [\"<technique_id>\"]\n}"
},
"id": "ai-triage",
"name": "AI Triage",
"type": "n8n-nodes-base.anthropic",
"typeVersion": 1,
"position": [
450,
300
]
},
{
"parameters": {
"conditions": {
"number": [
{
"value1": "={{ JSON.parse($json.content).priority }}",
"operation": "largerEqual",
"value2": 8
}
]
}
},
"id": "check-priority",
"name": "High Priority?",
"type": "n8n-nodes-base.if",
"typeVersion": 1,
"position": [
650,
300
]
},
{
"parameters": {
"channel": "#security-critical",
"text": ":rotating_light: *HIGH PRIORITY ALERT*\n\n*Alert:* {{ $node['Alert Webhook'].json.title }}\n*Source:* {{ $node['Alert Webhook'].json.source }}\n\n*AI Analysis:*\n{{ $node['AI Triage'].json.content }}\n\n<@oncall-security> Please investigate immediately."
},
"id": "slack-critical",
"name": "Slack Critical",
"type": "n8n-nodes-base.slack",
"typeVersion": 1,
"position": [
850,
200
]
},
{
"parameters": {
"channel": "#security-alerts",
"text": ":warning: *Alert Triaged*\n\n*Alert:* {{ $node['Alert Webhook'].json.title }}\n\n*AI Analysis:*\n{{ $node['AI Triage'].json.content }}"
},
"id": "slack-normal",
"name": "Slack Normal",
"type": "n8n-nodes-base.slack",
"typeVersion": 1,
"position": [
850,
400
]
},
{
"parameters": {
"respondWith": "json",
"responseBody": "={{ JSON.stringify({ triaged: true, analysis: JSON.parse($node['AI Triage'].json.content) }) }}"
},
"id": "response",
"name": "Respond",
"type": "n8n-nodes-base.respondToWebhook",
"typeVersion": 1,
"position": [
1050,
300
]
}
],
"connections": {
"Alert Webhook": {
"main": [
[
{
"node": "AI Triage",
"type": "main",
"index": 0
}
]
]
},
"AI Triage": {
"main": [
[
{
"node": "High Priority?",
"type": "main",
"index": 0
}
]
]
},
"High Priority?": {
"main": [
[
{
"node": "Slack Critical",
"type": "main",
"index": 0
}
],
[
{
"node": "Slack Normal",
"type": "main",
"index": 0
}
]
]
},
"Slack Critical": {
"main": [
[
{
"node": "Respond",
"type": "main",
"index": 0
}
]
]
},
"Slack Normal": {
"main": [
[
{
"node": "Respond",
"type": "main",
"index": 0
}
]
]
}
}
}
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
AI Alert Triage Workflow. Uses anthropic, slack. Webhook trigger; 6 nodes.
Source: https://github.com/depalmar/ai_for_the_win/blob/9127650cefbcf902051de7dc2df13af1961ca4f5/templates/n8n/alert_triage_workflow.json — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
IOC Enrichment Workflow. Uses virusTotal, httpRequest, anthropic, slack. Webhook trigger; 6 nodes.
This workflow bridges the gap between raw product data and revenue sales tools. It automates the entire Product Qualified Lead (PQL) lifecycle—from real-time intent routing to churn prevention—reducin
Venafi Presentation - Watch Video
Automatically detects missed Zoom demos booked via Calendly and triggers AI-powered follow-up sequences.
Pyragogy AI Village - Orchestrazione Master (Architettura Profonda V2). Uses start, postgres, openAi, emailSend. Webhook trigger; 36 nodes.