Oneclick AI Squad This workflow corresponds to n8n.io template #10591 — we link there as the canonical source.
This workflow follows the Emailsend → HTTP Request recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "1dSFJgL340NlOBkh",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "Cybersecurity Threat Detection & Alert",
"tags": [],
"nodes": [
{
"id": "b20161b9-009c-4670-9563-377582851b77",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
-1152,
96
],
"parameters": {
"width": 800,
"height": 800,
"content": "## Real-time threat detection & incident response\n\nScans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. Detected threats are scored by severity \u2014 critical and high issues trigger immediate multi-channel alerts and incident tickets, while medium and low threats are logged for trend analysis. Every scan closes with an executive summary posted to Slack.\n\n## How it works\n\n1. **Collect** \u2014 Fetches network logs from SIEM, vulnerability scan results, and external threat intel feeds in parallel\n2. **Merge & analyze** \u2014 Combines all data, then detects brute force attacks, malware, critical CVEs, suspicious traffic, and IOC matches\n3. **Route by severity** \u2014 Critical/High threats go to immediate alerting; Medium/Low are logged to the database\n4. **Alert** \u2014 Sends Slack alert, detailed email to SOC, creates a PagerDuty incident, and opens a ticket\n5. **Log** \u2014 Stores Medium/Low threats to SIEM and PostgreSQL for audit trail\n6. **Report** \u2014 Merges all paths and posts a scan summary to the Slack monitoring channel\n\n## Setup steps\n\n1. **SIEM** \u2014 Replace `your-siem-system.com` with your SIEM endpoint in both the log fetch and log write nodes\n2. **Vulnerability scanner** \u2014 Update the scanner URL and replace `YOUR_API_KEY` with your credentials\n3. **Threat intel** \u2014 Add your API key to the threat intelligence feed node header\n4. **PagerDuty** \u2014 Replace `YOUR_PAGERDUTY_KEY` and `YOUR_SERVICE_ID` in the PagerDuty node\n5. **Ticketing** \u2014 Update the ticket URL to your Jira or ServiceNow instance and add `YOUR_TICKET_API_KEY`\n6. **Slack** \u2014 Set the correct channel IDs in both Slack nodes (alerts channel and monitoring channel)\n7. **Email** \u2014 Configure SMTP credentials; update `from` and `to` addresses in the email node\n8. **PostgreSQL** \u2014 Ensure a `threat_log` table exists with columns: severity, type, description, timestamp, action_required"
},
"typeVersion": 1
},
{
"id": "7c9fbfd3-9663-4ad2-84d2-2dc19cf804da",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-176,
144
],
"parameters": {
"color": 4,
"width": 440,
"height": 876,
"content": "## 1. Data collection\n\nTriggers every 15 minutes and fetches network logs, vulnerability scan results, and external threat intelligence feeds in parallel before merging them for analysis."
},
"typeVersion": 1
},
{
"id": "34565425-c656-4881-928d-32f678ac9cdf",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
304,
352
],
"parameters": {
"color": 4,
"width": 436,
"height": 460,
"content": "## 2. Threat analysis\n\nMerges all collected data and runs detection logic to identify brute force attacks, malware signatures, critical vulnerabilities, suspicious traffic patterns, and IOC matches. Each threat is tagged with a severity level."
},
"typeVersion": 1
},
{
"id": "d929174b-463e-4376-89f0-5a63f282b7f8",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
800,
256
],
"parameters": {
"color": 4,
"width": 640,
"height": 860,
"content": "## 3. Alert & remediate\n\nCritical and High threats trigger a Slack alert, a detailed SOC email, a PagerDuty incident, and an incident ticket. Medium and Low threats are logged to SIEM and stored in PostgreSQL."
},
"typeVersion": 1
},
{
"id": "0a3e7f2b-d06f-45fb-a8dd-33125071246a",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
1488,
336
],
"parameters": {
"color": 4,
"width": 764,
"height": 524,
"content": "## 4. Summary report\n\nAll paths merge and a scan summary \u2014 total threats by severity and type \u2014 is posted to the Slack monitoring channel after every run."
},
"typeVersion": 1
},
{
"id": "5633b4a5-b9cf-44ea-99ea-0dad8156574c",
"name": "Schedule Trigger - Every 15 Minutes",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-144,
496
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
},
"typeVersion": 1.2
},
{
"id": "9de6147c-8a55-4613-913a-604093822d75",
"name": "Fetch Network Logs",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
384
],
"parameters": {
"url": "https://your-siem-system.com/api/logs",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "time_range",
"value": "15m"
},
{
"name": "log_types",
"value": "firewall,ids,auth"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "14354e5f-bb8c-4fa7-852c-d82621fc03bd",
"name": "Fetch Vulnerability Scan Results",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
592
],
"parameters": {
"url": "https://your-vulnerability-scanner.com/api/scan",
"method": "POST",
"options": {},
"sendBody": true,
"sendHeaders": true,
"bodyParameters": {
"parameters": [
{
"name": "scan_type",
"value": "quick"
},
{
"name": "targets",
"value": "internal_network"
}
]
},
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "e6b1d20e-48e5-435f-bc96-621f95c6d1a5",
"name": "Fetch Threat Intelligence Feed",
"type": "n8n-nodes-base.httpRequest",
"position": [
96,
784
],
"parameters": {
"url": "https://api.threatintel.com/v1/threats/recent",
"options": {},
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "X-API-Key",
"value": "YOUR_THREAT_INTEL_KEY"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "52a555e8-19c0-4cc5-99a3-e780ac8cbc7e",
"name": "Merge All Threat Data",
"type": "n8n-nodes-base.merge",
"position": [
352,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "2c8301ec-fa9a-4a4e-a7aa-f26357b26cef",
"name": "Analyze & Detect Threats",
"type": "n8n-nodes-base.code",
"position": [
608,
592
],
"parameters": {
"jsCode": "// Threat Detection Logic\nconst items = $input.all();\nconst threats = [];\n\nfor (const item of items) {\n const data = item.json;\n \n // Check for failed login attempts (Brute Force)\n if (data.failed_logins && data.failed_logins > 10) {\n threats.push({\n severity: 'HIGH',\n type: 'Brute Force Attack',\n source: data.source_ip || 'Unknown',\n description: `${data.failed_logins} failed login attempts detected`,\n timestamp: new Date().toISOString(),\n action_required: 'Block IP and notify SOC'\n });\n }\n \n // Check for critical vulnerabilities\n if (data.vulnerabilities) {\n const criticalVulns = data.vulnerabilities.filter(v => v.severity === 'CRITICAL');\n if (criticalVulns.length > 0) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Critical Vulnerability Detected',\n affected_systems: data.hostname || 'Multiple systems',\n description: `${criticalVulns.length} critical vulnerabilities found`,\n timestamp: new Date().toISOString(),\n action_required: 'Immediate patching required'\n });\n }\n }\n \n // Check for suspicious traffic patterns\n if (data.traffic_volume && data.traffic_volume > 10000) {\n threats.push({\n severity: 'MEDIUM',\n type: 'Suspicious Traffic Pattern',\n source: data.source_ip || 'Unknown',\n description: `Abnormal traffic volume: ${data.traffic_volume} requests`,\n timestamp: new Date().toISOString(),\n action_required: 'Investigate and monitor'\n });\n }\n \n // Check for malware signatures\n if (data.malware_detected === true) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Malware Detection',\n affected_systems: data.hostname || 'Unknown',\n description: `Malware signature: ${data.malware_name || 'Unknown'}`,\n timestamp: new Date().toISOString(),\n action_required: 'Isolate system immediately'\n });\n }\n \n // Check threat intelligence matches\n if (data.ioc_match === true) {\n threats.push({\n severity: 'HIGH',\n type: 'IOC Match',\n indicator: data.indicator || 'Unknown',\n description: `Known threat indicator detected: ${data.indicator_type}`,\n timestamp: new Date().toISOString(),\n action_required: 'Block and investigate'\n });\n }\n}\n\nreturn threats.map(threat => ({ json: threat }));"
},
"typeVersion": 2
},
{
"id": "e9494946-bdcd-41a9-b685-86cb6c5ddfd4",
"name": "Check Threat Severity",
"type": "n8n-nodes-base.if",
"position": [
848,
592
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"id": "condition-1",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "CRITICAL"
},
{
"id": "condition-2",
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.severity }}",
"rightValue": "HIGH"
}
]
}
},
"typeVersion": 2
},
{
"id": "9c1414b8-f5cc-47da-a9de-909901adb984",
"name": "Send Slack Alert - Critical",
"type": "n8n-nodes-base.slack",
"position": [
1088,
464
],
"parameters": {
"text": "=\ud83d\udea8 **SECURITY ALERT - {{ $json.severity }}**\n\n**Threat Type:** {{ $json.type }}\n**Source/System:** {{ $json.source || $json.affected_systems || $json.indicator }}\n**Description:** {{ $json.description }}\n**Time Detected:** {{ $json.timestamp }}\n**Action Required:** {{ $json.action_required }}\n\n\u26a0\ufe0f Immediate response required!",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C12345678"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.2
},
{
"id": "de4c0273-fa6e-4af0-9495-f78695e7e67f",
"name": "Send Email Alert - Detailed",
"type": "n8n-nodes-base.emailSend",
"position": [
1088,
672
],
"parameters": {
"options": {},
"subject": "=\ud83d\udea8 {{ $json.severity }} Threat Detected: {{ $json.type }}",
"toEmail": "user@example.com, user@example.com",
"fromEmail": "user@example.com"
},
"credentials": {
"smtp": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "217d7550-3a07-4d86-b8aa-c7013ad4f165",
"name": "Create PagerDuty Incident",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
464
],
"parameters": {
"url": "https://api.pagerduty.com/incidents",
"method": "POST",
"options": {},
"jsonBody": "={\n \"incident\": {\n \"type\": \"incident\",\n \"title\": \"{{ $json.severity }}: {{ $json.type }}\",\n \"service\": {\n \"id\": \"YOUR_SERVICE_ID\",\n \"type\": \"service_reference\"\n },\n \"urgency\": \"high\",\n \"body\": {\n \"type\": \"incident_body\",\n \"details\": \"{{ $json.description }}\\n\\nAction: {{ $json.action_required }}\"\n }\n }\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Token token=YOUR_PAGERDUTY_KEY"
},
{
"name": "Content-Type",
"value": "application/json"
},
{
"name": "Accept",
"value": "application/vnd.pagerduty+json;version=2"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "1cc4631b-7d8a-4231-ad8d-c8d70add7faa",
"name": "Create Security Ticket",
"type": "n8n-nodes-base.httpRequest",
"position": [
1328,
672
],
"parameters": {
"url": "https://your-ticketing-system.com/api/tickets",
"method": "POST",
"options": {},
"jsonBody": "={\n \"title\": \"{{ $json.severity }} Security Threat: {{ $json.type }}\",\n \"description\": \"{{ $json.description }}\\n\\nDetected: {{ $json.timestamp }}\\nAction Required: {{ $json.action_required }}\",\n \"priority\": \"{{ $json.severity === 'CRITICAL' ? 'P1' : 'P2' }}\",\n \"category\": \"Security Incident\",\n \"assigned_to\": \"SOC Team\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Authorization",
"value": "Bearer YOUR_TOKEN_HERE"
},
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "cc06d7fd-96e9-4e91-b529-80eae70a9787",
"name": "Log Medium/Low Threats",
"type": "n8n-nodes-base.httpRequest",
"position": [
1088,
896
],
"parameters": {
"url": "https://your-siem-system.com/api/events/log",
"method": "POST",
"options": {},
"jsonBody": "={\n \"event_type\": \"security_threat\",\n \"severity\": \"{{ $json.severity }}\",\n \"threat_type\": \"{{ $json.type }}\",\n \"description\": \"{{ $json.description }}\",\n \"timestamp\": \"{{ $json.timestamp }}\",\n \"source\": \"n8n_threat_detection\"\n}",
"sendBody": true,
"sendHeaders": true,
"specifyBody": "json",
"headerParameters": {
"parameters": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"typeVersion": 4.2
},
{
"id": "2c5a881f-a51a-41bf-a00e-0f5ddc8beff5",
"name": "Store in Database",
"type": "n8n-nodes-base.postgres",
"position": [
1344,
896
],
"parameters": {
"query": "=INSERT INTO threat_log (severity, type, description, timestamp, action_required)\nVALUES (\n '{{ $json.severity }}',\n '{{ $json.type }}',\n '{{ $json.description }}',\n '{{ $json.timestamp }}',\n '{{ $json.action_required }}'\n);",
"options": {},
"operation": "executeQuery"
},
"credentials": {
"postgres": {
"name": "<your credential>"
}
},
"typeVersion": 2.5
},
{
"id": "8199dd00-b0af-43c3-a5c6-346738debf86",
"name": "Merge All Paths",
"type": "n8n-nodes-base.merge",
"position": [
1568,
592
],
"parameters": {},
"typeVersion": 3
},
{
"id": "81cd1ef3-176a-4c56-b48a-429d24c9f659",
"name": "Generate Summary Report",
"type": "n8n-nodes-base.code",
"position": [
1808,
592
],
"parameters": {
"jsCode": "// Generate Summary Report\nconst items = $input.all();\n\nconst summary = {\n timestamp: new Date().toISOString(),\n total_threats: items.length,\n critical: items.filter(i => i.json.severity === 'CRITICAL').length,\n high: items.filter(i => i.json.severity === 'HIGH').length,\n medium: items.filter(i => i.json.severity === 'MEDIUM').length,\n low: items.filter(i => i.json.severity === 'LOW').length,\n threat_types: [...new Set(items.map(i => i.json.type))],\n status: 'Workflow completed successfully'\n};\n\nreturn [{ json: summary }];"
},
"typeVersion": 2
},
{
"id": "de5188a7-acc2-48e8-910a-61fdb4f25c7e",
"name": "Send Summary to Monitoring Channel",
"type": "n8n-nodes-base.slack",
"position": [
2048,
592
],
"parameters": {
"text": "=\u2705 **Threat Detection Scan Complete**\n\n**Summary:**\n\u2022 Total Threats: {{ $json.total_threats }}\n\u2022 Critical: {{ $json.critical }}\n\u2022 High: {{ $json.high }}\n\u2022 Medium: {{ $json.medium }}\n\u2022 Low: {{ $json.low }}\n\n**Threat Types Detected:** {{ $json.threat_types.join(', ') }}\n\n**Scan Time:** {{ $json.timestamp }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "C87654321"
},
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.2
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "1656b525-1944-4d5c-81ab-9a5c3408610d",
"connections": {
"Merge All Paths": {
"main": [
[
{
"node": "Generate Summary Report",
"type": "main",
"index": 0
}
]
]
},
"Fetch Network Logs": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 0
}
]
]
},
"Check Threat Severity": {
"main": [
[
{
"node": "Send Slack Alert - Critical",
"type": "main",
"index": 0
},
{
"node": "Send Email Alert - Detailed",
"type": "main",
"index": 0
}
],
[
{
"node": "Log Medium/Low Threats",
"type": "main",
"index": 0
}
]
]
},
"Merge All Threat Data": {
"main": [
[
{
"node": "Analyze & Detect Threats",
"type": "main",
"index": 0
}
]
]
},
"Create Security Ticket": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 1
}
]
]
},
"Log Medium/Low Threats": {
"main": [
[
{
"node": "Store in Database",
"type": "main",
"index": 0
}
]
]
},
"Generate Summary Report": {
"main": [
[
{
"node": "Send Summary to Monitoring Channel",
"type": "main",
"index": 0
}
]
]
},
"Analyze & Detect Threats": {
"main": [
[
{
"node": "Check Threat Severity",
"type": "main",
"index": 0
}
]
]
},
"Create PagerDuty Incident": {
"main": [
[
{
"node": "Merge All Paths",
"type": "main",
"index": 0
}
]
]
},
"Send Email Alert - Detailed": {
"main": [
[
{
"node": "Create Security Ticket",
"type": "main",
"index": 0
}
]
]
},
"Send Slack Alert - Critical": {
"main": [
[
{
"node": "Create PagerDuty Incident",
"type": "main",
"index": 0
}
]
]
},
"Fetch Threat Intelligence Feed": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Fetch Vulnerability Scan Results": {
"main": [
[
{
"node": "Merge All Threat Data",
"type": "main",
"index": 1
}
]
]
},
"Schedule Trigger - Every 15 Minutes": {
"main": [
[
{
"node": "Fetch Network Logs",
"type": "main",
"index": 0
},
{
"node": "Fetch Vulnerability Scan Results",
"type": "main",
"index": 0
},
{
"node": "Fetch Threat Intelligence Feed",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
postgresslackApismtp
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This n8n workflow proactively scans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. It analyzes anomalies, correlates indicators, assigns severity, triggers critical alerts, and…
Source: https://n8n.io/workflows/10591/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Enhance financial oversight with this automated n8n workflow. Triggered every 5 minutes, it fetches real-time bank transactions via an API, enriches and transforms the data, and applies smart logic to
HTTP Request, Email Send, Google Sheets +1
This workflow automates competitive price intelligence using Bright Data's enterprise web scraping API. On a scheduled basis (default: daily at 9 AM), the system loops through configured competitor pr
HTTP Request, Google Sheets, Slack +1
SEO managers, content marketers, bloggers, and growth teams who want to automatically catch declining content performance before it's too late — without manually checking Google Search Console every w
HTTP Request, Google Sheets, Slack +1
Automate tax deadline monitoring with AI-powered insights. This workflow checks your tax calendar daily at 8 AM, uses GPT-4 to analyze upcoming deadlines across multiple jurisdictions, detects overdue
Google Sheets, HTTP Request, Email Send +1
This automated n8n workflow tracks hourly cloud spending across AWS, Azure, and GCP. It detects cost spikes or budget overruns in real time, tags affected resources, and sends alerts via email, WhatsA
HTTP Request, Email Send, WhatsApp +1