This workflow follows the Agent → Chat Trigger recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"name": "My workflow",
"nodes": [
{
"parameters": {
"httpMethod": "POST",
"path": "36679367-477d-418c-ab15-4be904694aa9",
"options": {}
},
"type": "n8n-nodes-base.webhook",
"typeVersion": 2.1,
"position": [
-480,
16
],
"id": "cbb702f8-ad5f-49a2-aa36-a11703fc73d9",
"name": "Webhook"
},
{
"parameters": {
"modelId": {
"__rl": true,
"value": "gpt-4.1-mini",
"mode": "list",
"cachedResultName": "GPT-4.1-MINI"
},
"responses": {
"values": [
{
"role": "system",
"content": "Act as a Tier 1 SOC analyst assistant. When provided with a security alert or incident details (including indicators of compromise, logs, or metadata), perform the following steps: \n\nSummarize the alert \u2013 Provide a clear summary of what triggered the alert, which systems/users are affected, and the nature of the activity (e.g., suspicious login, malware detection, lateral movement). \n\nEnrich with threat intelligence \u2013 Correlate any IOCs (IP addresses, domains, hashes) with known threat intel sources. For any IP enrichment use the tool named 'AbuseIPDB-Enrichment'. For any File Hash use the tool named 'VirusTotal-Hash'and use the URL: 'https://www.virustotal.com/api/v3/files/{id}' but replace the '{id}' in the url with an actual file hash. Highlight if the indicators are associated with known malware or threat actors. \n\nAssess severity \u2013 Based on MITRE ATT&CK mapping, identify tactics/techniques, and provide an initial severity rating (Low, Medium, High, Critical). \n\nRecommend next actions \u2013 Suggest investigation steps and potential containment actions.\n\nFormat output clearly \u2013 Return findings in a structured format (Summary, IOC Enrichment, Severity Assessment, Recommended Actions)."
},
{
"content": "=Alert: {{ $json.body.search_name }}\nAlert Details: {{ JSON.stringify($json.body.result,['_time', 'user', 'ComputerName'], 2) }}\nSource IP: 194.5.82.41\nFile Hash: bcff246f0739ed98f8aa615d256e7e00bc1cb24c8cabaea609b25c3f050c7805"
}
]
},
"builtInTools": {},
"options": {}
},
"type": "@n8n/n8n-nodes-langchain.openAi",
"typeVersion": 2,
"position": [
-272,
16
],
"id": "a9e4c5e4-bcf9-4bdf-a511-4ecb6c1ec922",
"name": "Message a model",
"credentials": {
"openAiApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"select": "channel",
"channelId": {
"__rl": true,
"value": "C09UM8K6M18",
"mode": "list",
"cachedResultName": "alerts"
},
"text": "={{ $json.output[0].content[0].text }}",
"otherOptions": {}
},
"type": "n8n-nodes-base.slack",
"typeVersion": 2.3,
"position": [
48,
16
],
"id": "c406349f-5f1f-4d33-b408-d8a0f5495c23",
"name": "Send a message",
"credentials": {
"slackApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"url": "https://api.abuseipdb.com/api/v2/check",
"sendQuery": true,
"queryParameters": {
"parameters": [
{
"name": "ipAddress",
"value": "={{ /*n8n-auto-generated-fromAI-override*/ $fromAI('parameters0_Value', ``, 'string') }}"
},
{
"name": "maxAgeInDays",
"value": "3"
},
{
"name": "verbose"
}
]
},
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "Key",
"value": "4b3de78f90ca79b0d3aa56f1a556821b7ef577b8feec4981b8ebf37156b1857f7f017f2e79a08b19"
},
{
"name": "Accept",
"value": "application/json"
}
]
},
"options": {}
},
"type": "n8n-nodes-base.httpRequestTool",
"typeVersion": 4.3,
"position": [
-304,
224
],
"id": "f2dc5c13-c202-4a32-a9aa-90e1644756bd",
"name": "AbuselPDB-Enrichment"
},
{
"parameters": {
"url": "={{ /*n8n-auto-generated-fromAI-override*/ $fromAI('URL', ``, 'string') }}",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "virusTotalApi",
"sendHeaders": true,
"headerParameters": {
"parameters": [
{
"name": "accept",
"value": "application/json"
}
]
},
"options": {}
},
"type": "n8n-nodes-base.httpRequestTool",
"typeVersion": 4.3,
"position": [
-160,
224
],
"id": "eeaf6d23-b692-4578-b3da-3ca13a1764ba",
"name": "VirusTotal-Hash",
"credentials": {
"virusTotalApi": {
"name": "<your credential>"
}
}
},
{
"parameters": {
"preBuiltAgentsCalloutHttpRequest": "",
"httpVariantWarning": "",
"curlImport": "",
"method": "POST",
"": "",
"url": "https://192.168.195.131/alerts/add",
"authentication": "predefinedCredentialType",
"nodeCredentialType": "dfirIrisApi",
"provideSslCertificates": false,
"sendQuery": false,
"sendHeaders": false,
"sendBody": true,
"contentType": "json",
"specifyBody": "keypair",
"bodyParameters": {
"parameters": [
{
"name": "alert_title",
"value": "={{ $('Webhook').item.json.body.search_name }}"
},
{
"name": "alert_description",
"value": "={{ $json.output[0].content[0].text }}"
},
{
"name": "alert_severity_id",
"value": "3"
},
{
"name": "alert_status_id",
"value": "1"
},
{
"name": "alert_customer_id",
"value": "1"
}
]
},
"options": {
"allowUnauthorizedCerts": true
},
"infoMessage": ""
},
"type": "n8n-nodes-base.httpRequest",
"typeVersion": 4.3,
"position": [
48,
-176
],
"id": "d48c3d6f-9ac4-4e3e-b0c7-0f922eb5dbb4",
"name": "DFIR-IRIS HTTP Request",
"extendsCredential": "dfirIrisApi",
"credentials": {
"dfirIrisApi": {
"name": "<your credential>"
}
}
}
],
"connections": {
"Webhook": {
"main": [
[
{
"node": "Message a model",
"type": "main",
"index": 0
}
]
]
},
"Message a model": {
"main": [
[
{
"node": "Send a message",
"type": "main",
"index": 0
},
{
"node": "DFIR-IRIS HTTP Request",
"type": "main",
"index": 0
}
]
]
},
"AbuselPDB-Enrichment": {
"ai_tool": [
[
{
"node": "Message a model",
"type": "ai_tool",
"index": 0
}
]
]
},
"VirusTotal-Hash": {
"ai_tool": [
[
{
"node": "Message a model",
"type": "ai_tool",
"index": 0
}
]
]
}
},
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "4b233cbf-e62e-4ff2-a377-479c53af2e39",
"meta": {
"templateCredsSetupCompleted": true
},
"id": "1qW8EQR2bgzf1QeV",
"tags": []
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
openAiApipineconeApixAiApi
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
Main Workflow. Uses documentDefaultDataLoader, vectorStorePinecone, lmChatXAiGrok, embeddingsOpenAi. Webhook trigger; 18 nodes.
Source: https://github.com/gselez6761/agentic-ai-challenge-data/blob/c2086dff6749d96541a7f874e1bf75af78d8303d/workflows/main_workflow.json — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
Turn unstructured pitch decks and investment memos into polished Due Diligence PDF reports automatically. This n8n workflow handles everything from document ingestion to final delivery, combining inte
Transform raw investment memorandums and financial decks into comprehensive, professional Due Diligence (DD) PDF reports. This workflow automates document parsing via LlamaParse, enriches internal dat
YouTube Agent. Uses supabase, agent, lmChatAnthropic, outputParserStructured. Webhook trigger; 56 nodes.
Streamline M&A due diligence with AI. This n8n workflow automatically parses financial documents using LlamaIndex, embeds data into Pinecone, and generates comprehensive, AI-driven reports with GPT-5-
Indoor Farming Agent. Uses lmChatOpenAi, documentDefaultDataLoader, embeddingsOpenAi, toolVectorStore. Webhook trigger; 36 nodes.