Rizky Febriyan This workflow corresponds to n8n.io template #6296 — we link there as the canonical source.
This workflow follows the Agent → HTTP Request recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "yFPHgzz31QViOb19",
"name": "AI SOC SOPHOS",
"tags": [],
"nodes": [
{
"id": "67fbedd3-c1f2-4efb-9b98-769eb9fe07ad",
"name": "Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
-240,
-180
],
"parameters": {
"path": "replace-with-your-webhook-path",
"options": {},
"httpMethod": "POST"
},
"typeVersion": 2
},
{
"id": "d6ac962c-f117-468b-867d-0f4943742cbd",
"name": "If",
"type": "n8n-nodes-base.if",
"position": [
-20,
-180
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"id": "9ed981f2-c77a-4a3b-bf57-d5a9d93708f8",
"operator": {
"type": "string",
"operation": "regex"
},
"leftValue": "={{ $json.body.event.severity }}",
"rightValue": "high|critical"
},
{
"id": "fd811333-cce8-499b-bd27-411cec0641e2",
"operator": {
"type": "string",
"operation": "contains"
},
"leftValue": "={{ $json.body.event.type }}",
"rightValue": "Event::Endpoint::Threat"
},
{
"id": "872198a1-0a59-482d-b5f9-4c2ffd48dcdc",
"operator": {
"type": "string",
"operation": "contains"
},
"leftValue": "={{ $json.body.event.type }}",
"rightValue": "Event::Endpoint::WebControlViolation"
},
{
"id": "f472f90d-ce54-456b-958f-ebb5af4ad70b",
"operator": {
"type": "string",
"operation": "contains"
},
"leftValue": "={{ $json.body.event.type }}",
"rightValue": "Event::Endpoint::WebFilteringBlocked"
}
]
}
},
"typeVersion": 2.2
},
{
"id": "5fc88577-6634-4a19-812d-af5b9698686a",
"name": "Google Gemini Chat Model",
"type": "@n8n/n8n-nodes-langchain.lmChatGoogleGemini",
"position": [
880,
40
],
"parameters": {
"options": {}
},
"typeVersion": 1
},
{
"id": "206432d6-e7d3-438e-95ad-afdbaf412b41",
"name": "Send a text message",
"type": "n8n-nodes-base.telegram",
"position": [
1220,
-180
],
"parameters": {
"text": "=\ud83d\udea8 *PERINGATAN KEAMANAN {{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).risk_level.toUpperCase() }}* \ud83d\udea8\n\n*Ancaman Terdeteksi:* `{{ $('Webhook').item.json.body.event.name }}`\n\n_{{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).summary }}_\n\n*Laporan VirusTotal ({{ $('Code').item.json.indicator_value }}):*\nDideteksi oleh {{ $('For_Gemini_Prompt').item.json.totalFlags }} mesin keamanan. Vendor yang menandai:\n{{ $node[\"For_Gemini_Prompt\"].json.vendorsListText }}\n\n*\u2699\ufe0f Rekomendasi Mitigasi (oleh Gemini AI):*\n{{ JSON.parse($node[\"AI Agent\"].json.output.match(/{[\\s\\S]*}/)[0]).mitigation_steps.map((step, index) => `${index + 1}. ${step}`).join('\\n') }}",
"chatId": "YOUR_CHAT_ID",
"additionalFields": {}
},
"typeVersion": 1.2
},
{
"id": "c434340f-dbf1-43d9-91a7-9dc0dd1d8fbe",
"name": "Code",
"type": "n8n-nodes-base.code",
"position": [
200,
-180
],
"parameters": {
"jsCode": "// Mengambil data event dari input\nconst event = $input.item.json.body.event;\n\n// Fungsi baru untuk mengekstrak DOMAIN dari dalam field 'name'\nconst extractDomainFromName = (nameField) => {\n \u00a0if (!nameField || typeof nameField !== 'string') { return null; }\n \u00a0// Memecah teks berdasarkan karakter '\"'\n \u00a0const parts = nameField.split('\"');\n \u00a0// Domain biasanya adalah bagian kedua (indeks 1)\n \u00a0if (parts.length >= 2) {\n \u00a0 \u00a0const potentialDomain = parts[1];\n \u00a0 \u00a0// Cek sederhana, jika mengandung titik, kita anggap itu domain\n \u00a0 \u00a0if (potentialDomain.includes('.')) {\n \u00a0 \u00a0 \u00a0return potentialDomain;\n \u00a0 \u00a0}\n \u00a0}\n \u00a0return null;\n};\n\n// Coba ekstrak domain dari field 'name'\nconst domainFromName = extractDomainFromName(event.name);\n\nlet finalUrl = \"\";\nlet indicatorType = \"\";\nlet indicatorValue = \"\";\n\n// --- LOGIKA PRIORITAS BARU ---\n\n// 1. Cek hash file\nif (event?.data?.sha256) {\n \u00a0indicatorType = \"file\";\n \u00a0indicatorValue = event.data.sha256;\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/files/${indicatorValue}`;\n} \n// 2. Cek DOMAIN (bukan URL lagi)\nelse if (domainFromName) {\n \u00a0indicatorType = \"domain\";\n \u00a0indicatorValue = domainFromName;\n \u00a0// Menggunakan endpoint DOMAIN di VirusTotal\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/domains/${indicatorValue}`;\n}\n// 3. Cek Alamat IP\nelse if (event?.source_ip) {\n \u00a0indicatorType = \"ip\";\n \u00a0indicatorValue = event.source_ip;\n \u00a0finalUrl = `https://www.virustotal.com/api/v3/ip_addresses/${indicatorValue}`;\n}\n\n// Pastikan kita punya URL untuk diperiksa\nif (!finalUrl) {\n \u00a0throw new Error(\"Tidak ada indikator (sha256, domain, atau source_ip) yang ditemukan.\");\n}\n\n// Kembalikan objek terstruktur untuk digunakan di node selanjutnya\nreturn {\n \u00a0url_to_check: finalUrl,\n \u00a0indicator_type: indicatorType,\n \u00a0indicator_value: indicatorValue\n};"
},
"typeVersion": 2
},
{
"id": "cab1af6a-bc38-4148-af28-cb16c289b631",
"name": "AI Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
860,
-180
],
"parameters": {
"text": "=Anda adalah seorang Analis Keamanan Jaringan Senior yang sangat teliti dan berbasis fakta juga mendalami Security Operation Center (SOC).\n\nPENTING: Gunakan HANYA data yang tersedia dari log dan data reputasi. Jangan menambahkan, mengubah, atau mengasumsikan detail seperti alamat IP, Url, maupun Sha256. Selalu gunakan alamat IP, Url, maupun Sha256 yang sama persis seperti yang tertera di input.\n\nAnalisis data event IPS dari FortiGate dan data reputasi IP dari VirusTotal berikut.\n\nData Log Sophos:\n{{ $('If').item.json.body }}\n\nData Reputasi VirusTotal untuk{{ $('Code').item.json.indicator_value }} :\n{{ JSON.stringify($node[\"Virus_Total\"].json.data.attributes.last_analysis_stats) }}\n\nTugas Anda: Berikan output HANYA dalam format JSON yang valid dengan kunci berikut:\n- \"event\" : {{ $('If').item.json.body.event.name }}\n- \"summary\": Ringkasan insiden dalam 1-2 kalimat singkat.\n- \"risk_level\": {{ $('Webhook').item.json.body.event.severity }} dan Pilih salah satu: 'Kritis', 'Tinggi'.\n- \"ip_reputation, url atau sha256\": Deskripsi singkat reputasi berdasarkan data VirusTotal{{ $json.vendorsListText \u00a0}}{{ $json.reputationSummaryForGemini }}.\n- \"affected_internal_ip\": Ulangi nilai \"{{ $('Webhook').item.json.body.event.source_info.ip }} dengan User {{ $('Webhook').item.json.body.event.suser }} dan host pc {{ $('Webhook').item.json.body.event.dhost }}\" dari \"Data Log Sophos\" di sini tanpa perubahan.\n- \"mitigation_steps\": Array of strings berisi 3 rekomendasi utama yang spesifik dan bisa dijalankan.",
"options": {},
"promptType": "define"
},
"typeVersion": 2
},
{
"id": "461d4e12-c62c-49ac-8fe1-f687d993de20",
"name": "For_Gemini_Prompt",
"type": "n8n-nodes-base.code",
"position": [
640,
-180
],
"parameters": {
"jsCode": "// KODE UNTUK NODE \"Format Hasil VT\"\n\n// Mengambil output JSON dari node VirusTotal sebelumnya\nconst vtData = $input.item.json;\nconst detailedResults = vtData.data?.attributes?.last_analysis_results || {};\n\nconst flaggingVendors = [];\nlet totalFlags = 0;\n\n// Loop melalui setiap hasil vendor\nfor (const vendor in detailedResults) {\n \u00a0const result = detailedResults[vendor];\n \u00a0// Cek jika kategori-nya berbahaya atau mencurigakan\n \u00a0if (result.category === 'malicious' || result.category === 'suspicious') {\n \u00a0 \u00a0totalFlags++;\n \u00a0 \u00a0// Format: - `NamaVendor`: *malicious*\n \u00a0 \u00a0flaggingVendors.push(`- \\`${vendor}\\`: *${result.category}*`);\n \u00a0}\n}\n\n// Buat teks daftar vendor, atau pesan default jika kosong\nconst vendorsListText = flaggingVendors.length > 0\n \u00a0? flaggingVendors.join('\\n')\n \u00a0: \"Tidak ada vendor yang menandai sebagai berbahaya.\";\n\n// Buat ringkasan singkat untuk dikirim ke Gemini\nconst reputationSummaryForGemini = `Indikator ini ditandai sebagai berbahaya/mencurigakan oleh ${totalFlags} vendor keamanan di VirusTotal.`;\n\n// Kembalikan semua data yang sudah diformat\nreturn {\n \u00a0vendorsListText: vendorsListText,\n \u00a0reputationSummaryForGemini: reputationSummaryForGemini,\n \u00a0totalFlags: totalFlags\n};"
},
"typeVersion": 2
},
{
"id": "0a97c373-db22-4ec4-ab40-b4992bf9ef2f",
"name": "Virus_Total",
"type": "n8n-nodes-base.httpRequest",
"position": [
420,
-180
],
"parameters": {
"url": "={{ $json.url_to_check }}",
"options": {},
"authentication": "genericCredentialType",
"genericAuthType": "httpHeaderAuth"
},
"typeVersion": 4.2
},
{
"id": "6a6b3013-bf04-4f30-9e6d-0d790e451c38",
"name": "Simple Memory",
"type": "@n8n/n8n-nodes-langchain.memoryBufferWindow",
"position": [
1000,
40
],
"parameters": {
"sessionKey": "={{ $('Webhook').item.json.body.event.customer_id }}",
"sessionIdType": "customKey"
},
"typeVersion": 1.3
}
],
"active": true,
"settings": {
"executionOrder": "v1"
},
"connections": {
"If": {
"main": [
[
{
"node": "Code",
"type": "main",
"index": 0
}
]
]
},
"Code": {
"main": [
[
{
"node": "Virus_Total",
"type": "main",
"index": 0
}
]
]
},
"Webhook": {
"main": [
[
{
"node": "If",
"type": "main",
"index": 0
}
]
]
},
"AI Agent": {
"main": [
[
{
"node": "Send a text message",
"type": "main",
"index": 0
}
]
]
},
"Virus_Total": {
"main": [
[
{
"node": "For_Gemini_Prompt",
"type": "main",
"index": 0
}
]
]
},
"Simple Memory": {
"ai_memory": [
[
{
"node": "AI Agent",
"type": "ai_memory",
"index": 0
}
]
]
},
"For_Gemini_Prompt": {
"main": [
[
{
"node": "AI Agent",
"type": "main",
"index": 0
}
]
]
},
"Google Gemini Chat Model": {
"ai_languageModel": [
[
{
"node": "AI Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
}
}
}
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow automates the analysis of security alerts from Sophos Central, turning raw events into actionable intelligence. It uses the official Sophos SIEM integration tool to fetch data, enriches it with VirusTotal, and leverages Google Gemini to provide a real-time threat…
Source: https://n8n.io/workflows/6296/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Are you drowning in daily operational chaos, desperately trying to juggle sales, projects, content, and client communication? Imagine an AI brain that handles it all, freeing you to lead your business
Telegram Trigger, Telegram, OpenAI +13
N8N-Chat. Uses jwt, agent, memoryBufferWindow, lmChatGoogleGemini. Webhook trigger; 66 nodes.
Jwt, Agent, Memory Buffer Window +2
This workflow is for beauty salons who want consistent, high‑quality social media content without writing every post manually. It also suits agencies and automation builders who manage multiple beauty
Telegram, Google Sheets Trigger, Agent +26
leads. Uses supabase, gmail, formTrigger, httpRequest. Webhook trigger; 62 nodes.
Supabase, Gmail, Form Trigger +13
This automation is designed to help you generate AI-powered music tracks, cover art, and fully rendered music videos — all triggered from a simple Telegram chat and managed via Google Sheets.
OpenAI Chat, Memory Buffer Window, Output Parser Structured +11