This workflow follows the HTTP Request → Slack recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "LSH4x5nnNGQbNBkh",
"name": "Notify_user_in_Slack_of_quarantined_email_and_create_Jira_ticket_if_opened",
"tags": [
{
"id": "5TDAHOQdlBnsFbrY",
"name": "Completed",
"createdAt": "2023-11-06T22:57:07.494Z",
"updatedAt": "2023-11-06T22:57:07.494Z"
},
{
"id": "QPJKatvLSxxtrE8U",
"name": "Secops",
"createdAt": "2023-10-31T02:15:11.396Z",
"updatedAt": "2023-10-31T02:15:11.396Z"
}
],
"nodes": [
{
"id": "f0bf5f9b-58c5-4dff-95cc-3af378fc49a3",
"name": "has email been opened?",
"type": "n8n-nodes-base.if",
"position": [
1280,
1040
],
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{ !!($json.read_at ?? false) }}",
"value2": true
}
]
}
},
"typeVersion": 1
},
{
"id": "7acb2409-6b67-4500-993f-5beeaecec718",
"name": "Receive Sublime Security Alert",
"type": "n8n-nodes-base.webhook",
"position": [
840,
1040
],
"parameters": {
"path": "3ea0b887-9caa-477e-b6e4-1d3edf72d11e",
"options": {},
"httpMethod": "POST",
"authentication": "headerAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "ad876000-e3a4-4f3e-b917-629cc450a15c",
"name": "Get message details in Sublime Security",
"type": "n8n-nodes-base.httpRequest",
"position": [
1040,
1040
],
"parameters": {
"url": "=https://api.platform.sublimesecurity.com/v0/messages/{{ $json.body.data.messageId }}",
"options": {},
"authentication": "genericCredentialType",
"genericAuthType": "httpHeaderAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.1
},
{
"id": "2945cdef-f595-410d-9344-767e8cae3cd6",
"name": "Jira Software",
"type": "n8n-nodes-base.jira",
"position": [
1680,
900
],
"parameters": {
"project": {
"__rl": true,
"mode": "list",
"value": ""
},
"summary": "=Flagged email has been opened before quarantine | {{ $('Get message details in Sublime Security').item.json.subject }}",
"issueType": {
"__rl": true,
"mode": "list",
"value": ""
},
"additionalFields": {
"description": "=An email has been automatically flagged by Sublime Security and has been quarantined.\nThe recipient has opened the email before the quarantine occurred.\n\n## **Flagged Rules**\n|Name |Severity|Tags|ID|\n|--|--|--|--|\n{{ $json[\"table\"] }}\n\n## **Email information**\n| | |\n|--|--|\n|Email ID|{{ $('Get message details in Sublime Security').item.json[\"id\"] }}|\n|Time Created At|{{ $('Get message details in Sublime Security').item.json[\"created_at\"] }}|\n|Receiving Mailbox Address|{{ $('Get message details in Sublime Security').item.json[\"mailbox\"][\"email\"] }}|\n|Subject line|{{ $('Get message details in Sublime Security').item.json[\"subject\"] }}|\n|Sender Email|{{ $('Get message details in Sublime Security').item.json[\"sender\"][\"email\"] }}|\n|Sender Display Name|{{ $('Get message details in Sublime Security').item.json[\"sender\"][\"display_name\"] }}|\n|Time Read At|{{ $('Get message details in Sublime Security').item.json[\"read_at\"] }}|\n\nTo view the message details and further information, please check the Sublime Security dashboard.\n\nAn email has been sent to {{ $('Get message details in Sublime Security').item.json[\"mailbox\"][\"email\"] }} notifying them that an incoming message has been quarantined."
}
},
"credentials": {
"jiraSoftwareCloudApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "9c55d492-0fdd-4edd-995c-b3c5fecd9840",
"name": "lookup slack user by email",
"type": "n8n-nodes-base.httpRequest",
"position": [
1280,
460
],
"parameters": {
"url": "https://slack.com/api/users.lookupByEmail",
"options": {},
"sendQuery": true,
"authentication": "predefinedCredentialType",
"queryParameters": {
"parameters": [
{
"name": "email",
"value": "={{ $json.mailbox.email }}"
}
]
},
"nodeCredentialType": "slackApi"
},
"credentials": {
"slackApi": {
"name": "<your credential>"
},
"slackOAuth2Api": {
"name": "<your credential>"
}
},
"typeVersion": 4.1
},
{
"id": "f1bcb2c7-4ef4-4f9b-a68e-6620ab66b435",
"name": "user found?",
"type": "n8n-nodes-base.if",
"position": [
1480,
460
],
"parameters": {
"conditions": {
"boolean": [
{
"value1": "={{ !!($json.user.id ?? false) }}",
"value2": true
}
]
}
},
"typeVersion": 1
},
{
"id": "dcca54b8-d09c-45bf-a789-7545103bb7c3",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
480,
364.84681758846136
],
"parameters": {
"width": 718.6188455173532,
"height": 863.9601939404693,
"content": "\n# Workflow Overview\n\nThis workflow is initiated by `Sublime Security` whenever an inbound email undergoes scanning and triggers an alert.\n\nIn the event that Sublime Security is set up to automatically quarantine the email, this workflow will make an effort to inform the recipient through Slack. To accomplish this, it will utilize the recipient's mailbox address to search for their corresponding Slack username.\n\nIf the flagged email has already been opened, this workflow will additionally create a Jira ticket to manage the incident.\n\n## **HTTP Request Node Requirements**\n1. Create a rule in Sublime Security which has [auto-quarantine enabled](https://docs.sublimesecurity.com/docs/quarantine).\n2. [Create a webhook](https://docs.sublimesecurity.com/docs/webhooks) in Sublime which will send an alert to the `Receive Sublime Security Alert` node whenever a selected rule is triggered.\n\n## **Credentials**\n- Sublime Security: Find your API key for [Sublime Security](https://docs.sublimesecurity.com/reference/authentication#create-an-api-key) and save it as an n8n credential with Header Auth in the format `Authorization: Bearer YOUR-API-KEY`.\n\n- Slack: Provide credentials for a Slack app that has access to `users:read.email` and `im:write` scopes.\n"
},
"typeVersion": 1
},
{
"id": "8255a3f7-fcda-4d93-97c3-4d223778014f",
"name": "Sticky Note3",
"type": "n8n-nodes-base.stickyNote",
"position": [
1220,
175.18665303995851
],
"parameters": {
"width": 714.4547337311393,
"height": 522.7074838611178,
"content": "\n## Try to find quarantined email user's slack username \nWith the quarantined email\u2019s details at hand, n8n tries to notify the user via Slack. The message explains the reason for the email\u2019s absence, provides identifying details, and instructs on further action if the user recognizes the email as safe."
},
"typeVersion": 1
},
{
"id": "c149a4b8-4f12-4018-a1dc-dfbed9e081eb",
"name": "Found, notify user",
"type": "n8n-nodes-base.slack",
"position": [
1700,
400
],
"parameters": {
"text": "=Hello,\nOur security team has detected a potentially malicious email sent to your inbox and have quarantined it undergoing investigation.\n\nFrom: {{ $('Get message details in Sublime Security').item.json[\"sender\"][\"display_name\"] }} | {{ $('Get message details in Sublime Security').item.json[\"sender\"][\"email\"] }}\nSubject: {{ $('Get message details in Sublime Security').item.json[\"subject\"] }}\n\nIf you believe that the email is not malicious and was intended for you, please contact IT, referencing email ID `{{ $('Get message details in Sublime Security').item.json[\"id\"] }}`.\n\nThe email may be restored by IT if it is determined to be safe.\n\nThank you for helping keep the company secure!",
"user": {
"__rl": true,
"mode": "id",
"value": "={{ $json.user.id }}"
},
"select": "user",
"otherOptions": {}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.1
},
{
"id": "04712fdf-0409-4f9d-bd0b-7e40af9ffade",
"name": "Not Found, Do Nothing",
"type": "n8n-nodes-base.noOp",
"position": [
1700,
560
],
"parameters": {},
"typeVersion": 1
},
{
"id": "c9f8ede6-1886-4779-a4e8-3c32e12d6aae",
"name": "Sticky Note1",
"type": "n8n-nodes-base.stickyNote",
"position": [
1220,
710.6363009271314
],
"parameters": {
"width": 718.1630306649816,
"height": 516.9144812801944,
"content": "\n## If user opened email before quarantine, create jira ticket\nIf an email is opened prior to quarantine, n8n automatically creates a Jira ticket for further investigation. This ensures a swift response to potential threats that bypass the initial quarantine measures, highlighting n8n's critical role in incident response workflows."
},
"typeVersion": 1
},
{
"id": "a75d35a2-eefa-490c-9a05-9474a1e093fb",
"name": "No, do nothing",
"type": "n8n-nodes-base.noOp",
"position": [
1500,
1080
],
"parameters": {},
"typeVersion": 1
},
{
"id": "8c44c4fb-ec26-4005-b17b-ac8a9ef79721",
"name": "Yes, prep flaggedRules table",
"type": "n8n-nodes-base.code",
"position": [
1500,
900
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "console.log($(\"Receive Sublime Security Alert\").item.json.body);\n\nconst table = $(\"Receive Sublime Security Alert\")\n .item.json.body.data.flagged_rules.map(\n (rule) => `|${rule.name}|${rule.severity}|${rule.tags.join(\",\")}|${rule.id}`\n )\n .join(\"\\n\");\n\nconsole.log(table);\n\nreturn {\n table\n}\n"
},
"typeVersion": 2
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "cfa69dd2-286b-46ae-bc6b-6b4086bc8a20",
"connections": {
"user found?": {
"main": [
[
{
"node": "Found, notify user",
"type": "main",
"index": 0
}
],
[
{
"node": "Not Found, Do Nothing",
"type": "main",
"index": 0
}
]
]
},
"has email been opened?": {
"main": [
[
{
"node": "Yes, prep flaggedRules table",
"type": "main",
"index": 0
}
],
[
{
"node": "No, do nothing",
"type": "main",
"index": 0
}
]
]
},
"lookup slack user by email": {
"main": [
[
{
"node": "user found?",
"type": "main",
"index": 0
}
]
]
},
"Yes, prep flaggedRules table": {
"main": [
[
{
"node": "Jira Software",
"type": "main",
"index": 0
}
]
]
},
"Receive Sublime Security Alert": {
"main": [
[
{
"node": "Get message details in Sublime Security",
"type": "main",
"index": 0
}
]
]
},
"Get message details in Sublime Security": {
"main": [
[
{
"node": "has email been opened?",
"type": "main",
"index": 0
},
{
"node": "lookup slack user by email",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
httpHeaderAuthjiraSoftwareCloudApislackApislackOAuth2Api
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
How this works
Stay ahead of potential security threats by receiving instant Slack notifications whenever an email is quarantined in Sublime Security, allowing quick review and response to suspicious messages. This workflow suits security teams or IT administrators managing email defences, ensuring no critical alerts go unnoticed. The key step involves checking if the quarantined email has been opened, triggering a Jira ticket creation for deeper investigation if it has, while integrating seamlessly with Slack for user alerts and Jira for task tracking.
Use this workflow when monitoring quarantined emails from Sublime Security demands real-time team notifications and automated ticketing for opened threats, particularly in environments with high email volumes. Avoid it for non-security alerts or if your setup lacks Sublime Security integration, as it relies on their webhook for incoming data. Common variations include adding email forwarding to Slack or custom Jira fields for severity levels based on threat types.
About this workflow
Notify_user_in_Slack_of_quarantined_email_and_create_Jira_ticket_if_opened. Uses httpRequest, jira, stickyNote, slack. Webhook trigger; 13 nodes.
Source: https://github.com/Zie619/n8n-workflows — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This n8n workflow serves as an incident response and notification system for handling potentially malicious emails flagged by Sublime Security. It begins with a Webhook trigger that Sublime Security u
HTTP Request, Jira, Slack
🛡️ Jamf Policy Integrity Monitor
Crypto, Data Table, HTTP Request +2
> n8n, Binance API, Google Sheets, Slack, Telegram, Jira & Email
HTTP Request, Google Sheets, Slack +3
This workflow automatically detects at-risk customers by listening for inactivity signals from Mixpanel, scoring their churn risk, syncing everything to HubSpot, creating a prioritized ClickUp follow-
HubSpot, ClickUp, Slack +1
Webhook: Failed Login Attempts → Jira Security Case → Slack Warnings
Jira, Slack, Notion