Cheng Siong Chin This workflow corresponds to n8n.io template #13700 — we link there as the canonical source.
This workflow follows the Agent → Agenttool recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "VM-IiiZm7uZvmbPlnEzx1",
"name": "Intelligent abuse detection and enforcement coordination system",
"tags": [],
"nodes": [
{
"id": "6622d5cb-4630-467d-9a4b-91b7c9201028",
"name": "Abuse Signal Webhook",
"type": "n8n-nodes-base.webhook",
"position": [
-128,
480
],
"parameters": {
"path": "abuse-signal",
"options": {},
"httpMethod": "POST",
"responseMode": "responseNode"
},
"typeVersion": 2.1
},
{
"id": "d04b91db-4433-49fe-812e-e25c7c6b1750",
"name": "Workflow Configuration",
"type": "n8n-nodes-base.set",
"position": [
96,
480
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "riskThresholdHigh",
"type": "number",
"value": 80
},
{
"id": "id-2",
"name": "riskThresholdMedium",
"type": "number",
"value": 50
},
{
"id": "id-3",
"name": "autoActionThreshold",
"type": "number",
"value": 30
},
{
"id": "id-4",
"name": "slackChannel",
"type": "string",
"value": "<__PLACEHOLDER_VALUE__Slack channel ID for security alerts__>"
},
{
"id": "id-5",
"name": "escalationEmail",
"type": "string",
"value": "<__PLACEHOLDER_VALUE__Email address for critical escalations__>"
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "0ada2bf9-1ded-4b46-8835-dc5351e4a346",
"name": "Behavior Signal Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
320,
480
],
"parameters": {
"text": "={{ $json }}",
"options": {
"systemMessage": "You are a Behavior Signal Validation Agent specialized in analyzing abuse indicators and behavioral patterns.\n\nYour task is to:\n1. Validate the structure and completeness of incoming abuse signal data\n2. Extract key behavioral indicators (user ID, action type, frequency, severity markers)\n3. Identify patterns suggesting abuse (spam, harassment, fraud, policy violations)\n4. Calculate preliminary risk score (0-100) based on signal characteristics\n5. Classify severity level (CRITICAL, HIGH, MEDIUM, LOW)\n6. Flag signals requiring immediate investigation\n7. Provide reasoning for risk assessment\n\nConsider: action frequency, user history patterns, content analysis, policy violation types, and impact scope.\n\nReturn structured output with validated signals and risk classification."
},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 3.1
},
{
"id": "11d3e909-f526-4bb8-a139-562bf636b9d5",
"name": "OpenAI Model - Behavior Agent",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
272,
704
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "07107c1f-4f54-4496-aeb6-9ec44c652aa6",
"name": "Behavior Signal Output Parser",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
448,
704
],
"parameters": {
"jsonSchemaExample": "{\n \"userId\": \"unique user identifier\",\n \"signalType\": \"spam | harassment | fraud | policy_violation | other\",\n \"actionType\": \"specific action taken\",\n \"frequency\": \"number of occurrences\",\n \"riskScore\": 0,\n \"severityLevel\": \"CRITICAL | HIGH | MEDIUM | LOW\",\n \"indicators\": [\"list of specific abuse indicators detected\"],\n \"requiresInvestigation\": true,\n \"reasoning\": \"detailed explanation of risk assessment\",\n \"timestamp\": \"ISO timestamp\"\n}"
},
"typeVersion": 1.3
},
{
"id": "8021e348-3d4c-4423-b81a-e79b82fcf25b",
"name": "Route by Severity",
"type": "n8n-nodes-base.switch",
"position": [
688,
624
],
"parameters": {
"rules": {
"values": [
{
"outputKey": "Critical",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severityLevel }}",
"rightValue": "CRITICAL"
}
]
},
"renameOutput": true
},
{
"outputKey": "High",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severityLevel }}",
"rightValue": "HIGH"
}
]
},
"renameOutput": true
},
{
"outputKey": "Low Risk",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severityLevel }}",
"rightValue": "MEDIUM"
},
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severityLevel }}",
"rightValue": "LOW"
}
]
},
"renameOutput": true
}
]
},
"options": {
"fallbackOutput": "extra",
"renameFallbackOutput": "Unclassified"
}
},
"typeVersion": 3.4
},
{
"id": "7b7c1656-97bb-40dc-8f3d-cb50bb127169",
"name": "Governance Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
1336,
416
],
"parameters": {
"text": "={{ $json }}",
"options": {
"systemMessage": "You are a Governance Coordination Agent responsible for orchestrating enforcement workflows for abuse cases.\n\nYour task is to:\n1. Assess enforcement requirements based on abuse severity and validated signals\n2. Coordinate specialized agent tools for investigation, risk scoring, and compliance checking\n3. Call Investigation Agent Tool for cases requiring deep pattern analysis\n4. Call Risk Scoring Agent Tool to refine risk assessment with additional context\n5. Call Policy Compliance Checker Tool to verify policy violations and enforcement rules\n6. Determine final enforcement action (warn, suspend, ban, escalate, monitor)\n7. Provide comprehensive reasoning for enforcement decisions\n8. Identify cases requiring human review or escalation\n\nConsider: abuse severity, user history, policy frameworks, investigation findings, and organizational risk tolerance.\n\nReturn structured enforcement action with detailed justification and coordination plan."
},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 3.1
},
{
"id": "358c14cb-0fee-48d1-a988-c7e16a3f8bf9",
"name": "OpenAI Model - Governance Agent",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
912,
640
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "b55430e1-a2d7-40f4-be4d-df803dc84d4c",
"name": "Governance Output Parser",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1776,
640
],
"parameters": {
"jsonSchemaExample": "{\n \"enforcementAction\": \"warn | suspend | ban | escalate | monitor\",\n \"actionDuration\": \"duration if temporary action\",\n \"priority\": \"CRITICAL | HIGH | MEDIUM | LOW\",\n \"requiresHumanReview\": true,\n \"investigationFindings\": \"summary of investigation results\",\n \"refinedRiskScore\": 0,\n \"policyViolations\": [\"list of specific policy violations\"],\n \"coordinatedActions\": [\"list of actions taken by tools\"],\n \"reasoning\": \"detailed justification for enforcement decision\",\n \"escalationReason\": \"reason if escalation required\",\n \"timestamp\": \"ISO timestamp\"\n}"
},
"typeVersion": 1.3
},
{
"id": "9f29e875-9e65-4027-a965-26a911adb8a2",
"name": "Investigation Agent Tool",
"type": "@n8n/n8n-nodes-langchain.agentTool",
"position": [
1040,
640
],
"parameters": {
"text": "={{ $fromAI(\"abuseData\", \"Abuse signal data and behavioral indicators for investigation\", \"json\") }}",
"options": {
"systemMessage": "You are an Investigation Specialist Agent conducting deep analysis of abuse patterns and user behavior.\n\nYour task is to:\n1. Analyze behavioral patterns and abuse indicators\n2. Cross-reference user history and previous violations\n3. Examine action sequences and timing patterns\n4. Identify coordinated abuse or systematic violations\n5. Assess user intent and malicious behavior indicators\n6. Determine investigation findings and evidence quality\n7. Provide detailed investigation report with supporting evidence\n\nConsider: pattern clustering, temporal analysis, cross-user correlations, and policy violation severity.\n\nReturn structured investigation findings with evidence and recommendations."
},
"hasOutputParser": true,
"toolDescription": "Conducts deep investigation of abuse patterns including behavioral analysis, user history verification, and pattern detection"
},
"typeVersion": 3
},
{
"id": "4ee9fb2e-c2fd-4a0b-bd56-4b9e5b937d1a",
"name": "OpenAI Model - Investigation Tool",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
992,
848
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "6e9b74d8-09e7-40e6-9e1e-f1066824fc65",
"name": "Investigation Output Parser",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1168,
848
],
"parameters": {
"jsonSchemaExample": "{\n \"investigationStatus\": \"completed | requires_escalation\",\n \"behavioralPatterns\": [\"list of detected patterns\"],\n \"userHistory\": \"summary of user violation history\",\n \"evidenceQuality\": \"high | medium | low\",\n \"coordinatedAbuse\": true,\n \"maliciousIntent\": \"assessment of user intent\",\n \"findings\": \"detailed investigation findings\",\n \"recommendations\": [\"list of recommended actions\"]\n}"
},
"typeVersion": 1.3
},
{
"id": "41f435d3-60a5-4fdc-b1de-0cab8b32edd3",
"name": "Risk Scoring Agent Tool",
"type": "@n8n/n8n-nodes-langchain.agentTool",
"position": [
1328,
640
],
"parameters": {
"text": "={{ $fromAI(\"abuseData\", \"Abuse data and investigation findings for risk scoring\", \"json\") }}",
"options": {
"systemMessage": "You are a Risk Scoring Specialist Agent providing advanced risk assessment for abuse cases.\n\nYour task is to:\n1. Analyze abuse characteristics and investigation findings\n2. Apply multi-factor risk scoring model (severity, frequency, impact, user history)\n3. Weight risk factors based on organizational policies\n4. Calculate refined risk score (0-100) with confidence level\n5. Identify primary risk drivers and contributing factors\n6. Provide risk score justification and sensitivity analysis\n7. Recommend risk mitigation strategies\n\nConsider: abuse context, historical patterns, investigation evidence, and organizational risk thresholds.\n\nReturn structured risk assessment with detailed scoring breakdown."
},
"hasOutputParser": true,
"toolDescription": "Calculates refined risk scores using multi-factor analysis and investigation findings"
},
"typeVersion": 3
},
{
"id": "c81dc03d-2641-4d62-9bb9-5f299e626c16",
"name": "OpenAI Model - Risk Scoring Tool",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1360,
848
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "fe37c063-d3c3-4897-9692-0e73a990def2",
"name": "Risk Scoring Output Parser",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1552,
848
],
"parameters": {
"jsonSchemaExample": "{\n \"refinedRiskScore\": 0,\n \"confidenceLevel\": 0.95,\n \"riskLevel\": \"CRITICAL | HIGH | MEDIUM | LOW\",\n \"primaryRiskDrivers\": [\"list of main risk factors\"],\n \"riskFactorWeights\": {\"severity\": 0.4, \"frequency\": 0.3, \"impact\": 0.2, \"history\": 0.1},\n \"mitigationStrategies\": [\"list of recommended mitigation actions\"],\n \"reasoning\": \"detailed risk scoring justification\"\n}"
},
"typeVersion": 1.3
},
{
"id": "17e17765-a6d5-447d-86c4-ac4f3e3152be",
"name": "Policy Compliance Checker Tool",
"type": "@n8n/n8n-nodes-langchain.toolCode",
"position": [
1616,
640
],
"parameters": {
"jsCode": "const abuseData = $fromAI(\"abuseData\", \"Abuse case data for policy compliance verification\", \"json\");\nconst policyRules = $fromAI(\"policyRules\", \"Organizational policy rules for enforcement\", \"json\", {\"autoSuspendThreshold\": 3, \"autoBanThreshold\": 5, \"warningBeforeSuspend\": true});\n\ntry {\n const data = typeof abuseData === \"string\" ? JSON.parse(abuseData) : abuseData;\n const rules = typeof policyRules === \"string\" ? JSON.parse(policyRules) : policyRules;\n \n // Policy compliance checks\n const checks = {\n withinAutoSuspendThreshold: (data.violationCount || 0) < (rules.autoSuspendThreshold || 3),\n withinAutoBanThreshold: (data.violationCount || 0) < (rules.autoBanThreshold || 5),\n warningIssued: data.previousWarnings && data.previousWarnings.length > 0,\n requiresWarningFirst: rules.warningBeforeSuspend && !data.previousWarnings,\n severityCompliance: data.severityLevel !== \"CRITICAL\" || data.violationCount >= 1,\n noActiveAppeal: !data.activeAppeal || data.activeAppeal === false\n };\n \n const allChecksPassed = Object.values(checks).every(check => check === true);\n const failedChecks = Object.keys(checks).filter(key => checks[key] === false);\n \n // Determine recommended action based on policy\n let recommendedAction = \"monitor\";\n if (data.violationCount >= rules.autoBanThreshold) {\n recommendedAction = \"ban\";\n } else if (data.violationCount >= rules.autoSuspendThreshold) {\n recommendedAction = \"suspend\";\n } else if (data.severityLevel === \"CRITICAL\") {\n recommendedAction = \"escalate\";\n } else if (!data.previousWarnings || data.previousWarnings.length === 0) {\n recommendedAction = \"warn\";\n }\n \n const result = {\n complianceStatus: allChecksPassed ? \"COMPLIANT\" : \"NON_COMPLIANT\",\n checks: checks,\n failedChecks: failedChecks,\n policyViolations: failedChecks.map(check => `Failed: ${check}`),\n recommendedAction: recommendedAction,\n requiresHumanReview: !allChecksPassed || data.severityLevel === \"CRITICAL\",\n verificationDate: new Date().toISOString()\n };\n \n return JSON.stringify(result, null, 2);\n \n} catch (error) {\n return JSON.stringify({\n complianceStatus: \"ERROR\",\n error: \"Policy compliance check failed\",\n message: error.message\n });\n}",
"description": "Verifies policy compliance and checks abuse cases against organizational enforcement rules"
},
"typeVersion": 1.3
},
{
"id": "372e8e08-f9c5-4046-a149-0e02f3e5800c",
"name": "Prepare Enforcement Data",
"type": "n8n-nodes-base.code",
"position": [
1952,
416
],
"parameters": {
"jsCode": "const governanceOutput = $input.first().json;\nconst behaviorSignal = $(\"Behavior Signal Agent\").first().json;\nconst config = $(\"Workflow Configuration\").first().json;\n\n// Prepare comprehensive enforcement data\nconst enforcementData = {\n // Original signal data\n userId: behaviorSignal.userId,\n signalType: behaviorSignal.signalType,\n actionType: behaviorSignal.actionType,\n \n // Governance decision\n enforcementAction: governanceOutput.enforcementAction,\n actionDuration: governanceOutput.actionDuration,\n priority: governanceOutput.priority,\n \n // Risk assessment\n initialRiskScore: behaviorSignal.riskScore,\n refinedRiskScore: governanceOutput.refinedRiskScore,\n severityLevel: behaviorSignal.severityLevel,\n \n // Investigation and compliance\n investigationFindings: governanceOutput.investigationFindings,\n policyViolations: governanceOutput.policyViolations,\n coordinatedActions: governanceOutput.coordinatedActions,\n \n // Decision reasoning\n reasoning: governanceOutput.reasoning,\n requiresHumanReview: governanceOutput.requiresHumanReview,\n escalationReason: governanceOutput.escalationReason,\n \n // Metadata\n timestamp: new Date().toISOString(),\n workflowId: $workflow.id,\n executionId: $execution.id\n};\n\nreturn [{ json: enforcementData }];"
},
"typeVersion": 2
},
{
"id": "a7210b06-1249-4505-932d-c01fbe1b3708",
"name": "Route Enforcement Action",
"type": "n8n-nodes-base.switch",
"position": [
2176,
384
],
"parameters": {
"rules": {
"values": [
{
"outputKey": "Log Only",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.enforcementAction }}",
"rightValue": "monitor"
}
]
},
"renameOutput": true
},
{
"outputKey": "Alert Team",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.enforcementAction }}",
"rightValue": "warn"
},
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.enforcementAction }}",
"rightValue": "suspend"
}
]
},
"renameOutput": true
},
{
"outputKey": "Escalate",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.enforcementAction }}",
"rightValue": "ban"
},
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.enforcementAction }}",
"rightValue": "escalate"
},
{
"operator": {
"type": "boolean",
"operation": "true"
},
"leftValue": "={{ $json.requiresHumanReview }}",
"rightValue": true
}
]
},
"renameOutput": true
}
]
},
"options": {
"fallbackOutput": "extra",
"renameFallbackOutput": "Default"
}
},
"typeVersion": 3.4
},
{
"id": "084c4a61-c3d3-4c76-b1e6-689eba75053b",
"name": "Log to Abuse Records",
"type": "n8n-nodes-base.dataTable",
"position": [
2400,
216
],
"parameters": {
"columns": {
"value": {
"userId": "={{ $json.userId }}",
"riskScore": "={{ $json.refinedRiskScore }}",
"timestamp": "={{ $json.timestamp }}",
"actionType": "={{ $json.actionType }}",
"signalType": "={{ $json.signalType }}",
"severityLevel": "={{ $json.severityLevel }}",
"enforcementAction": "={{ $json.enforcementAction }}"
},
"mappingMode": "defineBelow"
},
"options": {},
"dataTableId": {
"__rl": true,
"mode": "name",
"value": "AbuseRecords"
}
},
"typeVersion": 1.1
},
{
"id": "af5c831d-c980-4e03-b29c-223a7e7924d1",
"name": "Alert Security Team",
"type": "n8n-nodes-base.slack",
"position": [
2400,
408
],
"parameters": {
"text": "=\ud83d\udea8 *ABUSE ALERT - {{ $json.priority }} Priority*\n\n*User ID:* {{ $json.userId }}\n*Signal Type:* {{ $json.signalType }}\n*Enforcement Action:* {{ $json.enforcementAction }}\n*Severity:* {{ $json.severityLevel }}\n*Risk Score:* {{ $json.refinedRiskScore }}/100\n\n*Policy Violations:*\n{{ $json.policyViolations.join(\"\\n\u2022 \") }}\n\n*Investigation Findings:*\n{{ $json.investigationFindings }}\n\n*Coordinated Actions:*\n{{ $json.coordinatedActions.map((action, i) => `${i + 1}. ${action}`).join(\"\\n\") }}\n\n*Reasoning:*\n{{ $json.reasoning }}\n\n{{ $json.requiresHumanReview ? \"\u26a0\ufe0f *REQUIRES HUMAN REVIEW*\" : \"\" }}\n\n_Detected at {{ $json.timestamp }}_",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.slackChannel }}"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.4
},
{
"id": "b5dec7ec-ac36-4ce9-8b92-cf21b213f344",
"name": "Send Escalation Email",
"type": "n8n-nodes-base.emailSend",
"position": [
2400,
608
],
"parameters": {
"html": "=<!DOCTYPE html>\n<html>\n<head>\n <style>\n body { font-family: Arial, sans-serif; line-height: 1.6; color: #333; }\n .container { max-width: 800px; margin: 0 auto; padding: 20px; }\n .header { background: {{ $json.priority === \"CRITICAL\" ? \"#dc3545\" : \"#fd7e14\" }}; color: white; padding: 30px; border-radius: 8px; margin-bottom: 30px; }\n .header h1 { margin: 0; font-size: 28px; }\n .section { background: #f8f9fa; padding: 20px; border-radius: 8px; margin-bottom: 20px; border-left: 4px solid {{ $json.priority === \"CRITICAL\" ? \"#dc3545\" : \"#fd7e14\" }}; }\n .section h2 { color: {{ $json.priority === \"CRITICAL\" ? \"#dc3545\" : \"#fd7e14\" }}; margin-top: 0; }\n .alert { background: #fff3cd; border-left: 4px solid #ffc107; padding: 15px; margin: 15px 0; border-radius: 4px; }\n table { width: 100%; border-collapse: collapse; }\n td { padding: 8px; border: 1px solid #ddd; }\n .label { font-weight: bold; background: #e9ecef; }\n </style>\n</head>\n<body>\n <div class=\"container\">\n <div class=\"header\">\n <h1>\ud83d\udea8 Abuse Escalation Required</h1>\n <p>{{ $json.priority }} Priority - Immediate Action Needed</p>\n </div>\n\n <div class=\"section\">\n <h2>Case Details</h2>\n <table>\n <tr><td class=\"label\">User ID:</td><td>{{ $json.userId }}</td></tr>\n <tr><td class=\"label\">Signal Type:</td><td>{{ $json.signalType }}</td></tr>\n <tr><td class=\"label\">Action Type:</td><td>{{ $json.actionType }}</td></tr>\n <tr><td class=\"label\">Enforcement Action:</td><td>{{ $json.enforcementAction }}</td></tr>\n <tr><td class=\"label\">Severity Level:</td><td>{{ $json.severityLevel }}</td></tr>\n <tr><td class=\"label\">Risk Score:</td><td>{{ $json.refinedRiskScore }}/100</td></tr>\n </table>\n </div>\n\n <div class=\"section\">\n <h2>Policy Violations</h2>\n <ul>\n {{ $json.policyViolations.map(v => `<li>${v}</li>`).join(\"\") }}\n </ul>\n </div>\n\n <div class=\"section\">\n <h2>Investigation Findings</h2>\n <p>{{ $json.investigationFindings }}</p>\n </div>\n\n <div class=\"section\">\n <h2>Coordinated Actions</h2>\n <ol>\n {{ $json.coordinatedActions.map(a => `<li>${a}</li>`).join(\"\") }}\n </ol>\n </div>\n\n <div class=\"section\">\n <h2>Decision Reasoning</h2>\n <p>{{ $json.reasoning }}</p>\n </div>\n\n {{ $json.escalationReason ? `<div class=\"alert\">\n <strong>\u26a0\ufe0f ESCALATION REASON:</strong><br>\n ${$json.escalationReason}\n </div>` : \"\" }}\n\n <p style=\"color: #666; font-size: 12px; margin-top: 30px;\">Generated: {{ $json.timestamp }}</p>\n </div>\n</body>\n</html>",
"options": {},
"subject": "={{ $json.priority }} Priority Abuse Escalation: {{ $json.userId }} - {{ $json.enforcementAction }}",
"toEmail": "={{ $('Workflow Configuration').first().json.escalationEmail }}",
"fromEmail": "<__PLACEHOLDER_VALUE__Sender email address__>"
},
"typeVersion": 2.1
},
{
"id": "b606545b-0c3f-44da-a1e9-7d87959879ab",
"name": "Log Enforcement Actions",
"type": "n8n-nodes-base.dataTable",
"position": [
2624,
576
],
"parameters": {
"columns": {
"value": {
"userId": "={{ $json.userId }}",
"priority": "={{ $json.priority }}",
"riskScore": "={{ $json.refinedRiskScore }}",
"timestamp": "={{ $json.timestamp }}",
"executionId": "={{ $json.executionId }}",
"severityLevel": "={{ $json.severityLevel }}",
"enforcementAction": "={{ $json.enforcementAction }}",
"requiresHumanReview": "={{ $json.requiresHumanReview }}"
},
"mappingMode": "defineBelow"
},
"options": {},
"dataTableId": {
"__rl": true,
"mode": "name",
"value": "EnforcementActions"
}
},
"typeVersion": 1.1
},
{
"id": "bbb53770-398c-4e5a-9fe3-8d0659db18b2",
"name": "Check Auto-Action Threshold",
"type": "n8n-nodes-base.if",
"position": [
2384,
832
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"id": "id-1",
"operator": {
"type": "number",
"operation": "lte"
},
"leftValue": "={{ $json.riskScore }}",
"rightValue": "={{ $('Workflow Configuration').first().json.autoActionThreshold }}"
}
]
}
},
"typeVersion": 2.3
},
{
"id": "8fc647dc-ba1b-4aa9-b2e1-5cc6cfe7b470",
"name": "Format Auto-Action",
"type": "n8n-nodes-base.set",
"position": [
2624,
784
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "userId",
"type": "string",
"value": "={{ $json.userId }}"
},
{
"id": "id-2",
"name": "enforcementAction",
"type": "string",
"value": "auto_monitor"
},
{
"id": "id-3",
"name": "priority",
"type": "string",
"value": "LOW"
},
{
"id": "id-4",
"name": "severityLevel",
"type": "string",
"value": "={{ $json.severityLevel }}"
},
{
"id": "id-5",
"name": "refinedRiskScore",
"type": "number",
"value": "={{ $json.riskScore }}"
},
{
"id": "id-6",
"name": "requiresHumanReview",
"type": "boolean",
"value": false
},
{
"id": "id-7",
"name": "timestamp",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-8",
"name": "executionId",
"type": "string",
"value": "={{ $execution.id }}"
}
]
}
},
"typeVersion": 3.4
},
{
"id": "8ef8bf39-1d09-4dca-a8bc-7df52881d228",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
1104,
-240
],
"parameters": {
"color": 4,
"width": 480,
"height": 384,
"content": "## Prerequisites\n- Slack workspace with bot token\n- Gmail or SMTP credentials\n- Google Sheets for abuse and enforcement logging\n## Use Cases\n- Real-time abuse detection and auto-suspension on social platforms\n## Customization\n- Replace OpenAI with Anthropic Claude or NVIDIA NIM models\n## Benefits\n- Eliminates manual abuse triage with real-time AI signal processing"
},
"typeVersion": 1
},
{
"id": "6c16542f-accf-4708-a5bc-f99c409b5060",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
656,
-96
],
"parameters": {
"width": 416,
"height": 256,
"content": "## Setup Steps\n1. Configure Abuse Signal Webhook URL and authenticate incoming POST requests.\n2. Add OpenAI API credentials to all OpenAI Model nodes.\n3. Connect Google Sheets for abuse records and enforcement action logging.\n4. Configure Slack credentials and set security team alert channel.\n5. Add Gmail/SMTP credentials to Send Escalation Email node."
},
"typeVersion": 1
},
{
"id": "69196459-3dab-467a-b3a8-8c52f21b13ad",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
-128
],
"parameters": {
"width": 624,
"height": 272,
"content": "## How It Works\nThis workflow automates platform trust and safety operations by deploying a multi-agent AI system that detects abuse signals, investigates behaviour, scores risk, checks policy compliance, and enforces actions automatically. Designed for platform safety teams, content moderation managers, and compliance officers, it eliminates manual triage delays and ensures high-severity violations are actioned immediately. An abuse signal webhook triggers behaviour analysis via OpenAI, classifying signals by severity. A routing node directs cases to a Governance Agent, which orchestrates Investigation, Risk Scoring, and Policy Compliance Checker sub-agents. Enforcement data is prepared, then routed by action type-logging to abuse records, alerting the security team via Slack, sending escalation emails, or triggering auto-enforcement actions based on threshold checks\u2014before all outcomes are logged."
},
"typeVersion": 1
},
{
"id": "ab598d84-081f-421c-ac16-0c357f12c2fb",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
624,
304
],
"parameters": {
"color": 7,
"height": 800,
"content": "## Route by Severity\n**What** \u2013 Directs cases to appropriate paths.\n**Why** \u2013 Prevents low-priority signals from consuming enforcement resources."
},
"typeVersion": 1
},
{
"id": "2925a972-0556-48a5-a41f-17759fa22f7a",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
-176,
304
],
"parameters": {
"color": 7,
"width": 784,
"height": 800,
"content": "## Behavior Signal Agent\n**What** \u2013 Classifies abuse signals by severity using OpenAI.\n**Why** \u2013 Ensures accurate triage before routing to governance review."
},
"typeVersion": 1
},
{
"id": "91640067-1ee9-4dbb-95a6-beb7fcb22e9d",
"name": "Sticky Note5",
"type": "n8n-nodes-base.stickyNote",
"position": [
912,
288
],
"parameters": {
"color": 7,
"width": 976,
"height": 800,
"content": "## Governance Agent\n**What** \u2013 Orchestrates sub-agents.\n**Why** \u2013 Centralises enforcement logic for consistent, auditable decision-making."
},
"typeVersion": 1
},
{
"id": "d82feaea-ccb2-441e-9f27-7c9becd89f99",
"name": "Sticky Note6",
"type": "n8n-nodes-base.stickyNote",
"position": [
1920,
208
],
"parameters": {
"color": 7,
"width": 416,
"height": 880,
"content": "## Prepare & Route Enforcement Action\n**What** \u2013 Formats enforcement data and routes by action type.\n**Why** \u2013 Ensures each case receives the correct response\u2014log, alert, email, or auto-action."
},
"typeVersion": 1
},
{
"id": "095f2a93-3a35-4d2c-90d3-bb0a3cb6aa05",
"name": "Sticky Note8",
"type": "n8n-nodes-base.stickyNote",
"position": [
2352,
80
],
"parameters": {
"color": 7,
"width": 464,
"height": 1040,
"content": "## Auto-Action Threshold Check\n**What** \u2013 Evaluates whether automated enforcement should trigger.\n**Why** \u2013 Prevents over-enforcement while ensuring high-risk cases act without delay."
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"availableInMCP": false,
"executionOrder": "v1"
},
"versionId": "92a071ea-b23c-4d5b-b3f3-a47105a2ec7d",
"connections": {
"Governance Agent": {
"main": [
[
{
"node": "Prepare Enforcement Data",
"type": "main",
"index": 0
}
]
]
},
"Route by Severity": {
"main": [
[
{
"node": "Governance Agent",
"type": "main",
"index": 0
}
],
[
{
"node": "Governance Agent",
"type": "main",
"index": 0
}
],
[
{
"node": "Check Auto-Action Threshold",
"type": "main",
"index": 0
}
]
]
},
"Format Auto-Action": {
"main": [
[
{
"node": "Log Enforcement Actions",
"type": "main",
"index": 0
}
]
]
},
"Alert Security Team": {
"main": [
[
{
"node": "Log Enforcement Actions",
"type": "main",
"index": 0
}
]
]
},
"Abuse Signal Webhook": {
"main": [
[
{
"node": "Workflow Configuration",
"type": "main",
"index": 0
}
]
]
},
"Log to Abuse Records": {
"main": [
[
{
"node": "Log Enforcement Actions",
"type": "main",
"index": 0
}
]
]
},
"Behavior Signal Agent": {
"main": [
[
{
"node": "Route by Severity",
"type": "main",
"index": 0
}
]
]
},
"Send Escalation Email": {
"main": [
[
{
"node": "Log Enforcement Actions",
"type": "main",
"index": 0
}
]
]
},
"Workflow Configuration": {
"main": [
[
{
"node": "Behavior Signal Agent",
"type": "main",
"index": 0
}
]
]
},
"Risk Scoring Agent Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Governance Output Parser": {
"ai_outputParser": [
[
{
"node": "Governance Agent",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Investigation Agent Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Prepare Enforcement Data": {
"main": [
[
{
"node": "Route Enforcement Action",
"type": "main",
"index": 0
}
]
]
},
"Route Enforcement Action": {
"main": [
[
{
"node": "Log to Abuse Records",
"type": "main",
"index": 0
}
],
[
{
"node": "Alert Security Team",
"type": "main",
"index": 0
}
],
[
{
"node": "Send Escalation Email",
"type": "main",
"index": 0
}
]
]
},
"Risk Scoring Output Parser": {
"ai_outputParser": [
[
{
"node": "Risk Scoring Agent Tool",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Check Auto-Action Threshold": {
"main": [
[
{
"node": "Format Auto-Action",
"type": "main",
"index": 0
}
],
[
{
"node": "Log Enforcement Actions",
"type": "main",
"index": 0
}
]
]
},
"Investigation Output Parser": {
"ai_outputParser": [
[
{
"node": "Investigation Agent Tool",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Behavior Signal Output Parser": {
"ai_outputParser": [
[
{
"node": "Behavior Signal Agent",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"OpenAI Model - Behavior Agent": {
"ai_languageModel": [
[
{
"node": "Behavior Signal Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Policy Compliance Checker Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"OpenAI Model - Governance Agent": {
"ai_languageModel": [
[
{
"node": "Governance Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"OpenAI Model - Risk Scoring Tool": {
"ai_languageModel": [
[
{
"node": "Risk Scoring Agent Tool",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"OpenAI Model - Investigation Tool": {
"ai_languageModel": [
[
{
"node": "Investigation Agent Tool",
"type": "ai_languageModel",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
openAiApislackOAuth2Api
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow automates platform trust and safety operations by deploying a multi-agent AI system that detects abuse signals, investigates behaviour, scores risk, checks policy compliance, and enforces actions automatically. Designed for platform safety teams, content moderation…
Source: https://n8n.io/workflows/13700/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow transforms natural language queries into research reports through a five-stage AI pipeline. When triggered via webhook (typically from Google Sheets using the companion [](https://gist.g
Redis, Agent, Output Parser Structured +7
This workflow automates enterprise compliance governance using a multi-agent AI architecture. It targets compliance officers, legal teams, and risk managers who need continuous, jurisdiction-aware mon
Agent, OpenAI Chat, Memory Buffer Window +8
This workflow automates end-to-end AI-driven content moderation for platforms managing user-generated content, including marketplaces, communities, and enterprise systems. It is designed for product,
Agent, OpenAI Chat, Output Parser Structured +4
This workflow automates student academic advising by deploying a multi-agent AI system that triages student queries, routes them intelligently, and escalates when human intervention is needed. Designe
Agent, OpenAI Chat, Output Parser Structured +3
This workflow automates comprehensive data validation and regulatory compliance reporting through intelligent AI-driven analysis. Designed for compliance officers, data governance teams, and regulator
Agent, Agent Tool, Anthropic Chat +5