Skip to content

axcexe/N8N_Cyber_Workflows

BranchesTags

Repository files navigation

n8n Cybersecurity Workflows

SOC workflows for enrichment, triage, orchestration, and response

πŸ“š Table of Contents

🧠 Overview

This repository contains production-grade n8n workflows engineered for:

  • Deterministic + adaptive alert triage pipelines
  • Multi-source threat intelligence correlation
  • Automated incident orchestration + response gating
  • Phishing analysis pipelines with header parsing + detonation hooks
  • Vulnerability intelligence enrichment with asset correlation

Designed for practitioners who require repeatable, observable, and auditable automation across security operations.

⚑ Architecture Model

flowchart LR
    A[Trigger: SIEM / Webhook / Email] --> B[Normalization Layer]
    B --> C[Enrichment Engine]
    C --> D[Correlation Logic]
    D --> E{Decision Engine}
    E -->|Low Risk| F[Auto Close / Log]
    E -->|Medium Risk| G[Notify + Ticket]
    E -->|High Risk| H[Approval Gate]
    H --> I[Response Action]
    I --> J[Audit Logging]
Loading

πŸ“¦ Repository Layout

workflows/
  β”œβ”€β”€ incident-response/
  β”œβ”€β”€ phishing/
  β”œβ”€β”€ threat-intel/
  β”œβ”€β”€ vuln-management/
  β”œβ”€β”€ identity/
  └── utilities/

docs/
  β”œβ”€β”€ setup.md
  β”œβ”€β”€ credentials.md
  β”œβ”€β”€ schema.md
  β”œβ”€β”€ hardening.md
  └── troubleshooting.md

samples/
  β”œβ”€β”€ input/
  └── output/

πŸš€ Quick Start

1. Deploy n8n (Docker) 
docker volume create n8n_data

docker run -it --rm \
  --name n8n-secops \
  -p 5678:5678 \
  -v n8n_data:/home/node/.n8n \
  -e N8N_ENCRYPTION_KEY=$(openssl rand -hex 32) \
  -e N8N_LOG_LEVEL=info \
  -e EXECUTIONS_PROCESS=main \
  n8nio/n8n
2. Import Workflow
  • Navigate to: http://localhost:5678
  • Click: Workflows β†’ Import from File
  • Select JSON from /workflows/**
3. Configure Credentials

  • Go to: Credentials Tab

  • Add:

    • API Tokens (SIEM, EDR, TI providers)
    • OAuth integrations if required

  • Map credentials inside workflow nodes

4. Execute + Observe

  • Click Execute Workflow

  • Inspect:

    • Node execution data
    • Input/output payload transformations
    • Error branches

πŸ”¬ Workflow Execution Model

sequenceDiagram
    participant SIEM
    participant n8n
    participant TI
    participant EDR
    participant Ticketing

    SIEM->>n8n: Alert Webhook
    n8n->>n8n: Normalize JSON
    n8n->>TI: Enrich Indicators
    n8n->>EDR: Query Host Context
    n8n->>n8n: Risk Scoring
    alt High Risk
        n8n->>Ticketing: Create Incident
        n8n->>EDR: Containment Action
    else Low Risk
        n8n->>n8n: Auto-close
    end
Loading

🧩 Example Workflow: IOC Enrichment Pipeline

{
  "nodes": [
    {
      "name": "Webhook Trigger",
      "type": "n8n-nodes-base.webhook",
      "parameters": {
        "httpMethod": "POST",
        "path": "ioc-enrich"
      }
    },
    {
      "name": "Normalize IOC",
      "type": "n8n-nodes-base.function",
      "parameters": {
        "functionCode": "return items.map(item => ({ json: { ioc: item.json.indicator.toLowerCase() }}));"
      }
    },
    {
      "name": "Query Threat Intel",
      "type": "n8n-nodes-base.httpRequest",
      "parameters": {
        "url": "https://api.threatintel.local/check",
        "method": "POST"
      }
    }
  ]
}

🧱 Advanced Features Implemented

Capability Implementation
Idempotency Hash-based deduplication (SHA256 of indicator set)
Retry Logic Exponential backoff via Function nodes
Rate Limiting Token bucket logic inside workflows
Observability Structured logs (JSON) shipped externally
Error Handling Global error trigger workflows
Schema Normalization Unified IOC object model
Execution Tracing executionId correlation across nodes

πŸ›‘οΈ Security Hardening

reverse_proxy:
  tls: enabled
  waf: enabled
  ip_allowlist:
    - SIEM_IP
    - INTERNAL_VPN

n8n:
  auth:
    basic_auth: true
  encryption:
    key: ${N8N_ENCRYPTION_KEY}
  audit_logging: enabled

βš™οΈ Environment Variables

# Core
N8N_ENCRYPTION_KEY=CHANGE_ME
N8N_LOG_LEVEL=debug

# Threat Intel
TI_API_KEY=xxxx
TI_BASE_URL=https://ti.local

# EDR
EDR_CLIENT_ID=xxxx
EDR_SECRET=xxxx

# SIEM
SIEM_URL=https://siem.local
SIEM_TOKEN=xxxx

🧠 Design Principles

  • Deterministic first, AI-assisted second
  • All actions are explainable
  • No implicit trust in external data
  • Every decision is logged + reproducible
  • Separation of enrichment vs action pipelines

πŸ“Š Observability Model

graph TD
    A[Workflow Execution] --> B[Structured Logs]
    B --> C[Log Aggregator]
    C --> D[SIEM]
    D --> E[Dashboards]
    E --> F[Detection Engineering Feedback Loop]
Loading

πŸ§ͺ Testing Strategy

Layer Method
Unit Function node isolated execution
Integration Mock API endpoints
End-to-End Replay real alert payloads
Chaos Inject API failures + latency

🀝 Contributing

git clone https://github.com/<your-repo>.git
git checkout -b feature/new-workflow

Checklist:

  • JSON workflow added
  • Sample input/output included
  • No hardcoded secrets
  • Error handling implemented
  • README updated

πŸ“œ License

MIT

⚠️ Disclaimer

These workflows can trigger real security actions (account disablement, host isolation, blocking). Validate in controlled environments before enabling in production.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors