Cheng Siong Chin This workflow corresponds to n8n.io template #13322 — we link there as the canonical source.
This workflow follows the Agent → Emailsend recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "8z7iQlO80TxhLHkK7l17N",
"name": "AI-powered cybersecurity incident detection & response system",
"tags": [],
"nodes": [
{
"id": "99faa284-7663-4909-a697-9c15c1321a54",
"name": "Schedule Trigger",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-16,
144
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 15
}
]
}
},
"typeVersion": 1.3
},
{
"id": "e32e8ce7-aaf2-45b0-bb33-6b89a46e7975",
"name": "Workflow Configuration",
"type": "n8n-nodes-base.set",
"position": [
208,
144
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "criticalSeverityThreshold",
"type": "number",
"value": 80
},
{
"id": "id-2",
"name": "highSeverityThreshold",
"type": "number",
"value": 60
},
{
"id": "id-3",
"name": "mediumSeverityThreshold",
"type": "number",
"value": 40
},
{
"id": "id-4",
"name": "slackChannelId",
"type": "string",
"value": "<__PLACEHOLDER_VALUE__Slack Channel ID for notifications__>"
},
{
"id": "id-5",
"name": "escalationEmail",
"type": "string",
"value": "<__PLACEHOLDER_VALUE__Email address for critical escalations__>"
},
{
"id": "id-6",
"name": "googleSheetsDocumentId",
"type": "string",
"value": "<__PLACEHOLDER_VALUE__Google Sheets Document ID for logging__>"
},
{
"id": "id-7",
"name": "humanReviewWaitMinutes",
"type": "number",
"value": 30
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "1916f024-1ea1-4cfa-8a7a-42096b27793c",
"name": "Generate Gameplay Anomaly Data",
"type": "n8n-nodes-base.code",
"position": [
432,
144
],
"parameters": {
"jsCode": "// Generate realistic gameplay anomaly data\nconst anomalyTypes = ['speed_hack', 'aim_bot', 'wall_hack', 'resource_exploit', 'suspicious_pattern'];\nconst playerNames = ['Player_Alpha', 'Player_Beta', 'Player_Gamma', 'Player_Delta', 'Player_Epsilon'];\n\n// Generate 5 anomaly records\nconst anomalies = [];\n\nfor (let i = 0; i < 5; i++) {\n const anomalyType = anomalyTypes[Math.floor(Math.random() * anomalyTypes.length)];\n const playerId = `PID_${Math.floor(Math.random() * 10000)}`;\n const playerName = playerNames[Math.floor(Math.random() * playerNames.length)];\n \n // Generate severity score based on anomaly type\n let severityScore;\n if (anomalyType === 'aim_bot' || anomalyType === 'speed_hack') {\n severityScore = Math.floor(Math.random() * 30) + 70; // 70-100 (high)\n } else if (anomalyType === 'wall_hack') {\n severityScore = Math.floor(Math.random() * 20) + 60; // 60-80 (medium-high)\n } else if (anomalyType === 'resource_exploit') {\n severityScore = Math.floor(Math.random() * 30) + 50; // 50-80 (medium)\n } else {\n severityScore = Math.floor(Math.random() * 40) + 30; // 30-70 (low-medium)\n }\n \n const anomaly = {\n player_id: playerId,\n player_name: playerName,\n anomaly_type: anomalyType,\n severity_score: severityScore,\n timestamp: new Date(Date.now() - Math.floor(Math.random() * 3600000)).toISOString(),\n game_session: {\n session_id: `SESSION_${Math.floor(Math.random() * 100000)}`,\n duration_minutes: Math.floor(Math.random() * 120) + 10,\n map: ['Desert_Storm', 'Urban_Warfare', 'Forest_Ops', 'Arctic_Base'][Math.floor(Math.random() * 4)],\n game_mode: ['Team_Deathmatch', 'Capture_Flag', 'Battle_Royale', 'Domination'][Math.floor(Math.random() * 4)]\n },\n player_statistics: {\n kills: Math.floor(Math.random() * 50) + (anomalyType === 'aim_bot' ? 30 : 0),\n deaths: Math.floor(Math.random() * 20) + 1,\n accuracy_percentage: anomalyType === 'aim_bot' ? Math.floor(Math.random() * 10) + 90 : Math.floor(Math.random() * 40) + 30,\n headshot_percentage: anomalyType === 'aim_bot' ? Math.floor(Math.random() * 20) + 70 : Math.floor(Math.random() * 30) + 10,\n distance_traveled: Math.floor(Math.random() * 10000) + (anomalyType === 'speed_hack' ? 15000 : 1000),\n resources_collected: Math.floor(Math.random() * 500) + (anomalyType === 'resource_exploit' ? 2000 : 0)\n },\n behavioral_metrics: {\n movement_speed_avg: anomalyType === 'speed_hack' ? Math.floor(Math.random() * 50) + 150 : Math.floor(Math.random() * 30) + 80,\n reaction_time_ms: anomalyType === 'aim_bot' ? Math.floor(Math.random() * 30) + 10 : Math.floor(Math.random() * 100) + 150,\n wall_penetration_shots: anomalyType === 'wall_hack' ? Math.floor(Math.random() * 20) + 15 : Math.floor(Math.random() * 3),\n suspicious_actions_count: Math.floor(Math.random() * 10) + (severityScore > 70 ? 15 : 0),\n pattern_deviation_score: Math.floor(Math.random() * 100),\n previous_violations: Math.floor(Math.random() * 5)\n },\n detection_confidence: Math.floor(Math.random() * 20) + 80,\n server_region: ['US-East', 'US-West', 'EU-Central', 'Asia-Pacific'][Math.floor(Math.random() * 4)]\n };\n \n anomalies.push(anomaly);\n}\n\nreturn anomalies.map(anomaly => ({ json: anomaly }));"
},
"typeVersion": 2
},
{
"id": "a8e9c726-113d-4a8b-8ce8-7ebc75467455",
"name": "OpenAI Model - Behavior Validation",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
672,
368
],
"parameters": {
"model": {
"__rl": true,
"mode": "id",
"value": "gpt-4o"
},
"options": {
"temperature": 0.2
},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "df569ad9-9d25-4ff2-9cb9-ddf0918db633",
"name": "Structured Output Parser - Behavior Validation",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
800,
368
],
"parameters": {
"schemaType": "manual",
"inputSchema": "{\n \"type\": \"object\",\n \"properties\": {\n \"anomalyConfirmed\": {\n \"type\": \"boolean\",\n \"description\": \"Whether the anomaly is confirmed\"\n },\n \"severityScore\": {\n \"type\": \"number\",\n \"minimum\": 0,\n \"maximum\": 100,\n \"description\": \"Severity score from 0 to 100\"\n },\n \"anomalyType\": {\n \"type\": \"string\",\n \"description\": \"Type of anomaly detected\"\n },\n \"riskLevel\": {\n \"type\": \"string\",\n \"enum\": [\"low\", \"medium\", \"high\", \"critical\"],\n \"description\": \"Risk level classification\"\n },\n \"evidenceStrength\": {\n \"type\": \"string\",\n \"enum\": [\"weak\", \"moderate\", \"strong\", \"conclusive\"],\n \"description\": \"Strength of evidence for the anomaly\"\n },\n \"playerBehaviorProfile\": {\n \"type\": \"object\",\n \"properties\": {\n \"accountAge\": {\n \"type\": \"string\",\n \"description\": \"Age of the player account\"\n },\n \"previousViolations\": {\n \"type\": \"number\",\n \"description\": \"Number of previous violations\"\n },\n \"playPattern\": {\n \"type\": \"string\",\n \"description\": \"Player's play pattern\"\n },\n \"skillProgression\": {\n \"type\": \"string\",\n \"description\": \"Player's skill progression\"\n }\n },\n \"required\": [\"accountAge\", \"previousViolations\", \"playPattern\", \"skillProgression\"]\n },\n \"detectionConfidence\": {\n \"type\": \"number\",\n \"minimum\": 0,\n \"maximum\": 100,\n \"description\": \"Confidence level of detection from 0 to 100\"\n },\n \"reasoning\": {\n \"type\": \"string\",\n \"description\": \"Reasoning behind the detection\"\n },\n \"recommendedAction\": {\n \"type\": \"string\",\n \"description\": \"Recommended action to take\"\n },\n \"requiresHumanReview\": {\n \"type\": \"boolean\",\n \"description\": \"Whether human review is required\"\n }\n },\n \"required\": [\"anomalyConfirmed\", \"severityScore\", \"anomalyType\", \"riskLevel\", \"evidenceStrength\", \"playerBehaviorProfile\", \"detectionConfidence\", \"reasoning\", \"recommendedAction\", \"requiresHumanReview\"]\n}"
},
"typeVersion": 1.3
},
{
"id": "d57780e2-3de5-4fd6-aee9-50a0a6705f48",
"name": "Behavior Validation Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
656,
144
],
"parameters": {
"text": "=Analyze this gameplay anomaly data: {{ JSON.stringify($json) }}",
"options": {
"systemMessage": "You are an expert Behavior Validation Agent specializing in gameplay anomaly detection and anti-cheat analysis.\n\nYour task is to:\n1. Analyze structured gameplay anomaly data including player statistics, behavioral metrics, and session data\n2. Validate whether the anomaly is genuine or a false positive\n3. Assess the severity and risk level of confirmed anomalies\n4. Evaluate evidence strength based on multiple data points\n5. Build a comprehensive player behavior profile considering account history and play patterns\n6. Calculate detection confidence based on data quality and pattern consistency\n7. Determine if human review is required for edge cases or high-impact decisions\n8. Recommend appropriate actions based on severity and confidence levels\n\nConsider:\n- Statistical deviation from normal player behavior\n- Consistency of anomalous patterns across multiple sessions\n- Player account age and history\n- Skill progression curves and learning patterns\n- Technical indicators (input timing, reaction speeds, accuracy patterns)\n- Context of gameplay situation\n- Potential for false positives in legitimate high-skill play\n\nReturn structured analysis with all required fields including detailed reasoning."
},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 3.1
},
{
"id": "84ee3d15-d21a-4eb9-aaa6-e7ee25deb454",
"name": "Route by Severity",
"type": "n8n-nodes-base.switch",
"position": [
1024,
308
],
"parameters": {
"rules": {
"values": [
{
"outputKey": "High/Critical Severity",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "number",
"operation": "gte"
},
"leftValue": "={{ $json.severityScore }}",
"rightValue": 60
}
]
},
"renameOutput": true
},
{
"outputKey": "Medium Severity",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "number",
"operation": "gte"
},
"leftValue": "={{ $json.severityScore }}",
"rightValue": 40
},
{
"operator": {
"type": "number",
"operation": "lt"
},
"leftValue": "={{ $json.severityScore }}",
"rightValue": 60
}
]
},
"renameOutput": true
},
{
"outputKey": "Low Severity",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "number",
"operation": "lt"
},
"leftValue": "={{ $json.severityScore }}",
"rightValue": 40
}
]
},
"renameOutput": true
}
]
},
"options": {
"fallbackOutput": "extra",
"renameFallbackOutput": "Unclassified"
}
},
"typeVersion": 3.4
},
{
"id": "65366f95-f6b5-4611-ac6f-aa164437e1ac",
"name": "OpenAI Model - Governance",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
1248,
260
],
"parameters": {
"model": {
"__rl": true,
"mode": "id",
"value": "gpt-4o"
},
"options": {
"temperature": 0.3
},
"builtInTools": {}
},
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
},
"typeVersion": 1.3
},
{
"id": "59adf837-81ec-4b1a-8fd0-a28a5b5d5740",
"name": "Structured Output Parser - Governance",
"type": "@n8n/n8n-nodes-langchain.outputParserStructured",
"position": [
1376,
260
],
"parameters": {
"schemaType": "manual",
"inputSchema": "{\n \"type\": \"object\",\n \"properties\": {\n \"actionType\": {\n \"type\": \"string\",\n \"enum\": [\"human_review\", \"auto_action\", \"escalate\"],\n \"description\": \"Type of action to take\"\n },\n \"enforcementAction\": {\n \"type\": \"string\",\n \"enum\": [\"warning\", \"temporary_ban\", \"permanent_ban\", \"account_flag\", \"no_action\"],\n \"description\": \"Specific enforcement action to apply\"\n },\n \"banDurationHours\": {\n \"type\": \"number\",\n \"description\": \"Duration of ban in hours (if applicable)\"\n },\n \"notificationRequired\": {\n \"type\": \"boolean\",\n \"description\": \"Whether notification is required\"\n },\n \"escalationLevel\": {\n \"type\": \"string\",\n \"enum\": [\"none\", \"team_lead\", \"management\", \"legal\"],\n \"description\": \"Level of escalation needed\"\n },\n \"requiresDocumentation\": {\n \"type\": \"boolean\",\n \"description\": \"Whether documentation is required\"\n },\n \"appealEligible\": {\n \"type\": \"boolean\",\n \"description\": \"Whether the user can appeal this action\"\n },\n \"reasoning\": {\n \"type\": \"string\",\n \"description\": \"Detailed reasoning for the decision\"\n },\n \"riskAssessment\": {\n \"type\": \"string\",\n \"description\": \"Risk assessment analysis\"\n },\n \"complianceNotes\": {\n \"type\": \"string\",\n \"description\": \"Compliance and regulatory notes\"\n }\n },\n \"required\": [\"actionType\", \"enforcementAction\", \"notificationRequired\", \"escalationLevel\", \"requiresDocumentation\", \"appealEligible\", \"reasoning\", \"riskAssessment\", \"complianceNotes\"]\n}"
},
"typeVersion": 1.3
},
{
"id": "f472fdca-fd3d-4e8e-b75e-179b94b6538a",
"name": "Slack Tool",
"type": "n8n-nodes-base.slackTool",
"position": [
1504,
260
],
"parameters": {
"text": "={{ $fromAI('message', 'Message content to send', 'string') }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "={{ $fromAI('channel', 'Slack channel ID for notifications', 'string') }}"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.4
},
{
"id": "51b0d7c2-a22b-4a6e-b31f-1a592d7eebc6",
"name": "Google Sheets Tool",
"type": "n8n-nodes-base.googleSheetsTool",
"position": [
1632,
260
],
"parameters": {
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "name",
"value": "={{ $fromAI('sheetName', 'Sheet name to append data', 'string') }}"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "={{ $fromAI('documentId', 'Google Sheets document ID', 'string') }}"
}
},
"credentials": {
"googleSheetsOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.7
},
{
"id": "c1160312-d3d7-479a-bd6a-42c51949ca2e",
"name": "Historical Pattern Analysis Tool",
"type": "@n8n/n8n-nodes-langchain.toolCode",
"position": [
1760,
260
],
"parameters": {
"jsCode": "// Analyze historical player behavior patterns\nconst currentPlayerData = JSON.parse(query);\n\n// Simulate historical violation lookup (in production, this would query a database)\nconst historicalViolations = {\n player_id: currentPlayerData.player_id || 'unknown',\n previous_violations: Math.floor(Math.random() * 5),\n last_violation_date: new Date(Date.now() - Math.random() * 90 * 24 * 60 * 60 * 1000).toISOString(),\n violation_types: ['speed_hack', 'resource_manipulation', 'unauthorized_access'],\n average_severity: Math.random() * 10\n};\n\n// Calculate recidivism risk\nconst recidivismScore = historicalViolations.previous_violations > 2 ? 'HIGH' : \n historicalViolations.previous_violations > 0 ? 'MEDIUM' : 'LOW';\n\n// Identify behavioral trends\nconst trends = {\n escalating_severity: historicalViolations.average_severity > 7,\n repeat_offender: historicalViolations.previous_violations > 1,\n recent_activity: new Date(historicalViolations.last_violation_date) > new Date(Date.now() - 30 * 24 * 60 * 60 * 1000)\n};\n\n// Pattern matching analysis\nconst patternAnalysis = {\n player_id: currentPlayerData.player_id || 'unknown',\n recidivism_risk: recidivismScore,\n previous_violations: historicalViolations.previous_violations,\n last_violation: historicalViolations.last_violation_date,\n behavioral_trends: trends,\n recommendation: recidivismScore === 'HIGH' ? 'Immediate escalation recommended' : \n recidivismScore === 'MEDIUM' ? 'Enhanced monitoring required' : \n 'Standard processing'\n};\n\nreturn JSON.stringify(patternAnalysis, null, 2);",
"description": "Analyzes historical player behavior patterns and compares with current anomaly data to identify trends and recidivism"
},
"typeVersion": 1.3
},
{
"id": "4b121fc8-f4e9-47cb-81aa-b5cc5a8cd124",
"name": "Governance Agent",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
1432,
36
],
"parameters": {
"text": "=Review this validated anomaly and determine enforcement action: {{ JSON.stringify($json) }}",
"options": {
"systemMessage": "You are a Governance Agent responsible for coordinating enforcement reviews and escalation decisions for gameplay violations.\n\nYour task is to:\n1. Review validated anomaly data from the Behavior Validation Agent\n2. Determine appropriate enforcement actions based on severity, evidence strength, and player history\n3. Decide whether cases require human review, can be auto-actioned, or need escalation\n4. Use available tools to check historical patterns, notify teams via Slack, and log decisions to Google Sheets\n5. Assess compliance requirements and documentation needs\n6. Evaluate appeal eligibility based on evidence quality and circumstances\n7. Provide detailed reasoning for all enforcement decisions\n\nDecision Framework:\n- Human Review: Edge cases, first-time high-severity violations, weak evidence, or cases requiring judgment\n- Auto-Action: Clear violations with strong evidence, repeat offenders with established patterns, low-risk decisions\n- Escalate: Critical violations, legal implications, high-profile accounts, or systemic abuse patterns\n\nEnforcement Actions:\n- Warning: First-time minor violations, educational opportunity\n- Temporary Ban: Moderate violations, cooling-off period (specify duration)\n- Permanent Ban: Severe violations, repeat offenders, irredeemable behavior\n- Account Flag: Monitoring required, suspicious but inconclusive\n- No Action: False positive, insufficient evidence\n\nUse your tools strategically:\n- Historical Pattern Analysis Tool: Check player violation history and behavioral trends\n- Slack Tool: Notify relevant teams about decisions requiring coordination\n- Google Sheets Tool: Log enforcement decisions for audit trail\n\nReturn structured decisions with complete reasoning and compliance notes."
},
"promptType": "define",
"hasOutputParser": true
},
"typeVersion": 3.1
},
{
"id": "acbd944c-04a3-4d65-b1d4-6ebaebabe006",
"name": "Route by Action Type",
"type": "n8n-nodes-base.switch",
"position": [
2016,
240
],
"parameters": {
"rules": {
"values": [
{
"outputKey": "Human Review",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.actionType }}",
"rightValue": "human_review"
}
]
},
"renameOutput": true
},
{
"outputKey": "Auto-Action",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.actionType }}",
"rightValue": "auto_action"
}
]
},
"renameOutput": true
},
{
"outputKey": "Escalate",
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "loose"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.actionType }}",
"rightValue": "escalate"
}
]
},
"renameOutput": true
}
]
},
"options": {
"fallbackOutput": "extra",
"renameFallbackOutput": "Default"
}
},
"typeVersion": 3.4
},
{
"id": "0cda0716-14eb-4726-af9f-600f1c8e4dad",
"name": "Wait for Human Review",
"type": "n8n-nodes-base.wait",
"position": [
2464,
128
],
"parameters": {
"unit": "minutes",
"amount": "={{ $('Workflow Configuration').first().json.humanReviewWaitMinutes }}"
},
"typeVersion": 1.1
},
{
"id": "9bc27284-ce3f-4a8f-ad7e-229af141a868",
"name": "Prepare Human Review Data",
"type": "n8n-nodes-base.set",
"position": [
2240,
128
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "reviewStatus",
"type": "string",
"value": "pending_human_review"
},
{
"id": "id-2",
"name": "reviewRequestedAt",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "reviewType",
"type": "string",
"value": "governance_decision"
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "c2ed4750-dfd7-47c5-a44b-b56979eb379e",
"name": "Send to Slack - Human Review",
"type": "n8n-nodes-base.slack",
"position": [
2688,
128
],
"parameters": {
"text": "=\ud83d\udd0d HUMAN REVIEW REQUIRED\n\nPlayer ID: {{ $json.playerId }}\nAnomaly Type: {{ $json.anomalyType }}\nSeverity Score: {{ $json.severityScore }}/100\nRisk Level: {{ $json.riskLevel }}\nEvidence Strength: {{ $json.evidenceStrength }}\n\nRecommended Action: {{ $json.enforcementAction }}\nReasoning: {{ $json.reasoning }}\n\nReview Status: {{ $json.reviewStatus }}\nRequested At: {{ $json.reviewRequestedAt }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.slackChannelId }}"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.4
},
{
"id": "d7623eb3-86fd-4f14-97fa-a900756c6331",
"name": "Prepare Auto-Action Data",
"type": "n8n-nodes-base.set",
"position": [
2464,
320
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "actionStatus",
"type": "string",
"value": "auto_executed"
},
{
"id": "id-2",
"name": "executedAt",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "actionType",
"type": "string",
"value": "automated_enforcement"
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "61593cc2-152c-439e-bde1-c63dc2f018cd",
"name": "Send to Slack - Auto-Action",
"type": "n8n-nodes-base.slack",
"position": [
2688,
320
],
"parameters": {
"text": "=\u26a1 AUTO-ACTION EXECUTED\n\nPlayer ID: {{ $json.playerId }}\nAnomaly Type: {{ $json.anomalyType }}\nSeverity Score: {{ $json.severityScore }}/100\nRisk Level: {{ $json.riskLevel }}\n\nEnforcement Action: {{ $json.enforcementAction }}\nBan Duration: {{ $json.banDurationHours }} hours\nAppeal Eligible: {{ $json.appealEligible }}\n\nReasoning: {{ $json.reasoning }}\n\nAction Status: {{ $json.actionStatus }}\nExecuted At: {{ $json.executedAt }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.slackChannelId }}"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.4
},
{
"id": "de3dfb2e-c63d-45d0-abea-f22db8332386",
"name": "Prepare Escalation Data",
"type": "n8n-nodes-base.set",
"position": [
2240,
512
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "escalationStatus",
"type": "string",
"value": "escalated"
},
{
"id": "id-2",
"name": "escalatedAt",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "escalationType",
"type": "string",
"value": "critical_violation"
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "90c80d2e-5154-4954-8bef-bf421d9eedd0",
"name": "Send Escalation Email",
"type": "n8n-nodes-base.emailSend",
"position": [
2464,
512
],
"parameters": {
"html": "=<h2>Critical Gameplay Violation Escalation</h2><p><strong>Player ID:</strong> {{ $json.playerId }}</p><p><strong>Anomaly Type:</strong> {{ $json.anomalyType }}</p><p><strong>Severity Score:</strong> {{ $json.severityScore }}/100</p><p><strong>Risk Level:</strong> {{ $json.riskLevel }}</p><p><strong>Evidence Strength:</strong> {{ $json.evidenceStrength }}</p><hr><p><strong>Recommended Enforcement:</strong> {{ $json.enforcementAction }}</p><p><strong>Ban Duration:</strong> {{ $json.banDurationHours }} hours</p><p><strong>Escalation Level:</strong> {{ $json.escalationLevel }}</p><hr><p><strong>Reasoning:</strong></p><p>{{ $json.reasoning }}</p><p><strong>Risk Assessment:</strong></p><p>{{ $json.riskAssessment }}</p><p><strong>Compliance Notes:</strong></p><p>{{ $json.complianceNotes }}</p><hr><p><strong>Escalation Status:</strong> {{ $json.escalationStatus }}</p><p><strong>Escalated At:</strong> {{ $json.escalatedAt }}</p><p>This case requires immediate management review and decision.</p>",
"options": {},
"subject": "=CRITICAL: Gameplay Violation Escalation - Player {{ $json.playerId }}",
"toEmail": "={{ $('Workflow Configuration').first().json.escalationEmail }}",
"fromEmail": "user@example.com"
},
"typeVersion": 2.1
},
{
"id": "420d621c-6dee-4ad8-9a55-01af73efabd3",
"name": "Send to Slack - Escalation",
"type": "n8n-nodes-base.slack",
"position": [
2688,
512
],
"parameters": {
"text": "=\ud83d\udea8 CRITICAL ESCALATION\n\nPlayer ID: {{ $json.playerId }}\nAnomaly Type: {{ $json.anomalyType }}\nSeverity Score: {{ $json.severityScore }}/100\nRisk Level: {{ $json.riskLevel }}\n\nEnforcement Action: {{ $json.enforcementAction }}\nEscalation Level: {{ $json.escalationLevel }}\n\nReasoning: {{ $json.reasoning }}\n\nEscalation email sent to management.\nEscalated At: {{ $json.escalatedAt }}",
"select": "channel",
"channelId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.slackChannelId }}"
},
"otherOptions": {},
"authentication": "oAuth2"
},
"credentials": {
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 2.4
},
{
"id": "09b48124-614b-4c41-a2e6-9aaa4fdf8e99",
"name": "Merge All Actions",
"type": "n8n-nodes-base.merge",
"position": [
2912,
256
],
"parameters": {
"mode": "combine",
"options": {},
"combineBy": "combineByPosition",
"numberInputs": 3
},
"typeVersion": 3.2
},
{
"id": "e092e206-11fc-4077-bb22-77ae2ef93290",
"name": "Log to Google Sheets",
"type": "n8n-nodes-base.googleSheets",
"position": [
3136,
272
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [
"playerId"
]
},
"options": {},
"operation": "appendOrUpdate",
"sheetName": {
"__rl": true,
"mode": "name",
"value": "Enforcement Actions"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.googleSheetsDocumentId }}"
}
},
"credentials": {
"googleSheetsOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.7
},
{
"id": "e1418718-db57-4880-8917-cd5829d7a52b",
"name": "Prepare Low Severity Data",
"type": "n8n-nodes-base.set",
"position": [
1496,
436
],
"parameters": {
"options": {},
"assignments": {
"assignments": [
{
"id": "id-1",
"name": "actionStatus",
"type": "string",
"value": "logged_low_severity"
},
{
"id": "id-2",
"name": "loggedAt",
"type": "string",
"value": "={{ $now.toISO() }}"
},
{
"id": "id-3",
"name": "requiresAction",
"type": "boolean",
"value": false
}
]
},
"includeOtherFields": true
},
"typeVersion": 3.4
},
{
"id": "9ecec52b-1012-4cdc-aa96-a1dc7ce3cbe5",
"name": "Log Low Severity to Sheets",
"type": "n8n-nodes-base.googleSheets",
"position": [
2016,
560
],
"parameters": {
"columns": {
"value": {
"playerId": "={{ $json.playerId }}"
},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [
"playerId"
]
},
"options": {},
"operation": "appendOrUpdate",
"sheetName": {
"__rl": true,
"mode": "name",
"value": "Low Severity Anomalies"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "={{ $('Workflow Configuration').first().json.googleSheetsDocumentId }}"
}
},
"credentials": {
"googleSheetsOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.7
},
{
"id": "774e2c7f-46cc-4c85-beae-4264d7caafde",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
1408,
-448
],
"parameters": {
"color": 6,
"width": 608,
"height": 320,
"content": "## Prerequisites\nSIEM or security monitoring platform access, OpenAI API account\n## Use Cases\nIntrusion detection response, malware outbreak containment\n## Customization\nModify AI prompts for organization-specific threat models, adjust severity scoring algorithms\n## Benefits\nReduces incident response time by 80%, minimizes false positive alert fatigue"
},
"typeVersion": 1
},
{
"id": "01927c55-79ed-441a-ab0c-32d66d2754df",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
736,
-368
],
"parameters": {
"width": 630,
"height": 224,
"content": "## Setup Steps\n1. Connect **Schedule Trigger** for continuous monitoring \n2. Configure **SIEM/security data sources** \n3. Add **OpenAI API keys** to Behavior Validator and Governance Agent nodes\n4. Define **severity thresholds** and threat patterns in agent prompts\n5. Link **Slack webhooks** for critical incident alerts and escalation channels\n6. Connect **Google Sheets** API for incident logging and compliance tracking\n"
},
"typeVersion": 1
},
{
"id": "d9e0384a-d120-4ab1-91fa-fc622952f552",
"name": "Sticky Note2",
"type": "n8n-nodes-base.stickyNote",
"position": [
0,
-416
],
"parameters": {
"width": 704,
"height": 304,
"content": "## How It Works\nThis workflow automates cybersecurity incident detection and response for security operations centers (SOCs) managing constant threat landscapes. Designed for security analysts, IT operations teams, and CISOs, it solves the challenge of manually triaging security alerts, validating threats, and coordinating response actions across multiple systems and stakeholders. The system schedules continuous security monitoring, generates simulated anomaly data for testing, validates behaviors through AI agents (Behavior Validator confirms threat patterns, Governance Agent assesses severity), routes incidents by criticality (low/critical), and orchestrates responses: critical threats trigger automated human reviews, escalation workflows, and Slack alerts; low-priority items receive automated remediation with Google Sheets logging. By combining AI-powered threat analysis with intelligent routing and multi-channel response coordination, organizations reduce incident response time by 80%, minimize false positives, ensure consistent threat handling, and enable security teams to focus on strategic defense rather than alert fatigue.\n"
},
"typeVersion": 1
},
{
"id": "5c8afa41-3fc4-4426-af79-f55604da2c16",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1952,
-96
],
"parameters": {
"color": 7,
"width": 1344,
"height": 1008,
"content": "## Coordinated Response\n**What**: Executes action plans via Slack alerts, Google Sheets logging, automated remediation scripts \n**Why**: Multi-channel orchestration ensures stakeholder notification, audit compliance, and rapid threat neutralization"
},
"typeVersion": 1
},
{
"id": "842b07fd-4f8e-4679-a96f-720494ef0dcd",
"name": "Sticky Note4",
"type": "n8n-nodes-base.stickyNote",
"position": [
992,
-80
],
"parameters": {
"color": 7,
"width": 944,
"height": 960,
"content": "## Intelligent Routing\n**What**: Routes incidents by severity\u2014critical triggers human review/escalation, low enables auto-remediation \n**Why**: Priority-based workflows ensure urgent threats receive expert attention while minor issues resolve automatically"
},
"typeVersion": 1
},
{
"id": "817fe50d-abc2-46bb-a312-be9e6ce2e1ab",
"name": "Sticky Note5",
"type": "n8n-nodes-base.stickyNote",
"position": [
-48,
-64
],
"parameters": {
"color": 7,
"width": 992,
"height": 720,
"content": "\n## Continuous Monitoring & AI Threat Validation\n**What**: Behavior Validator confirms suspicious patterns; Governance Agent assesses incident severity \n**Why**: Dual-layer analysis reduces false positives while accurately identifying critical threats requiring immediate action\n"
},
"typeVersion": 1
}
],
"active": false,
"settings": {
"availableInMCP": false,
"executionOrder": "v1"
},
"versionId": "9d870190-a1f4-45f3-9b92-8f81f3f184a1",
"connections": {
"Slack Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Governance Agent": {
"main": [
[
{
"node": "Route by Action Type",
"type": "main",
"index": 0
}
]
]
},
"Schedule Trigger": {
"main": [
[
{
"node": "Workflow Configuration",
"type": "main",
"index": 0
}
]
]
},
"Merge All Actions": {
"main": [
[
{
"node": "Log to Google Sheets",
"type": "main",
"index": 0
}
]
]
},
"Route by Severity": {
"main": [
[
{
"node": "Governance Agent",
"type": "main",
"index": 0
}
],
[
{
"node": "Governance Agent",
"type": "main",
"index": 0
}
],
[
{
"node": "Prepare Low Severity Data",
"type": "main",
"index": 0
}
]
]
},
"Google Sheets Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"Route by Action Type": {
"main": [
[
{
"node": "Prepare Human Review Data",
"type": "main",
"index": 0
}
],
[
{
"node": "Prepare Auto-Action Data",
"type": "main",
"index": 0
}
],
[
{
"node": "Prepare Escalation Data",
"type": "main",
"index": 0
}
]
]
},
"Send Escalation Email": {
"main": [
[
{
"node": "Send to Slack - Escalation",
"type": "main",
"index": 0
}
]
]
},
"Wait for Human Review": {
"main": [
[
{
"node": "Send to Slack - Human Review",
"type": "main",
"index": 0
}
]
]
},
"Workflow Configuration": {
"main": [
[
{
"node": "Generate Gameplay Anomaly Data",
"type": "main",
"index": 0
}
]
]
},
"Prepare Escalation Data": {
"main": [
[
{
"node": "Send Escalation Email",
"type": "main",
"index": 0
}
]
]
},
"Prepare Auto-Action Data": {
"main": [
[
{
"node": "Send to Slack - Auto-Action",
"type": "main",
"index": 0
}
]
]
},
"Behavior Validation Agent": {
"main": [
[
{
"node": "Route by Severity",
"type": "main",
"index": 0
}
]
]
},
"OpenAI Model - Governance": {
"ai_languageModel": [
[
{
"node": "Governance Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Prepare Human Review Data": {
"main": [
[
{
"node": "Wait for Human Review",
"type": "main",
"index": 0
}
]
]
},
"Prepare Low Severity Data": {
"main": [
[
{
"node": "Log Low Severity to Sheets",
"type": "main",
"index": 0
}
]
]
},
"Send to Slack - Escalation": {
"main": [
[
{
"node": "Merge All Actions",
"type": "main",
"index": 2
}
]
]
},
"Send to Slack - Auto-Action": {
"main": [
[
{
"node": "Merge All Actions",
"type": "main",
"index": 1
}
]
]
},
"Send to Slack - Human Review": {
"main": [
[
{
"node": "Merge All Actions",
"type": "main",
"index": 0
}
]
]
},
"Generate Gameplay Anomaly Data": {
"main": [
[
{
"node": "Behavior Validation Agent",
"type": "main",
"index": 0
}
]
]
},
"Historical Pattern Analysis Tool": {
"ai_tool": [
[
{
"node": "Governance Agent",
"type": "ai_tool",
"index": 0
}
]
]
},
"OpenAI Model - Behavior Validation": {
"ai_languageModel": [
[
{
"node": "Behavior Validation Agent",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Structured Output Parser - Governance": {
"ai_outputParser": [
[
{
"node": "Governance Agent",
"type": "ai_outputParser",
"index": 0
}
]
]
},
"Structured Output Parser - Behavior Validation": {
"ai_outputParser": [
[
{
"node": "Behavior Validation Agent",
"type": "ai_outputParser",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
googleSheetsOAuth2ApiopenAiApislackOAuth2Api
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow automates cybersecurity incident detection and response for security operations centers (SOCs) managing constant threat landscapes. Designed for security analysts, IT operations teams, and CISOs, it solves the challenge of manually triaging security alerts,…
Source: https://n8n.io/workflows/13322/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This workflow automates end-to-end carbon emissions monitoring, strategy optimisation, and ESG reporting using a multi-agent AI supervisor architecture in n8n. Designed for sustainability managers, ES
Agent, OpenAI Chat, Output Parser Structured +10
This workflow automates end-to-end ESG (Environmental, Social, and Governance) sustainability reporting for enterprise sustainability teams, compliance officers, and green governance leads. It solves
Agent, OpenAI Chat, Output Parser Structured +12
This workflow automates end-to-end carbon emissions monitoring, strategy optimisation, and ESG reporting using a multi-agent AI supervisor architecture in n8n. Designed for sustainability managers, ES
Agent, OpenAI Chat, Output Parser Structured +10
This workflow automates end-to-end carbon emissions monitoring, strategy optimisation, and ESG reporting using a multi-agent AI supervisor architecture in n8n. Designed for sustainability managers, ES
Agent, OpenAI Chat, Output Parser Structured +10
This workflow automates semiconductor board-level reliability monitoring using AI agents. It targets reliability engineers, manufacturing teams, and quality analysts. The system collects capacity, his
Google Sheets, Agent, OpenAI Chat +10