{ "name": "Detect and route cybersecurity threats with SIEM, Slack, email and PagerDuty + BillionVerify", "nodes": [ { "id": "b20161b9-009c-4670-9563-377582851b77", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -1152, 96 ], "parameters": { "width": 800, "height": 800, "content": "## Real-time threat detection & incident response\n\nScans and aggregates threat intelligence, network logs, and vulnerability data every 15 minutes to detect emerging risks across the infrastructure. Detected threats are scored by severity — critical and high issues trigger immediate multi-channel alerts and incident tickets, while medium and low threats are logged for trend analysis. Every scan closes with an executive summary posted to Slack.\n\n## How it works\n\n1. **Collect** — Fetches network logs from SIEM, vulnerability scan results, and external threat intel feeds in parallel\n2. **Merge & analyze** — Combines all data, then detects brute force attacks, malware, critical CVEs, suspicious traffic, and IOC matches\n3. **Route by severity** — Critical/High threats go to immediate alerting; Medium/Low are logged to the database\n4. **Alert** — Sends Slack alert, detailed email to SOC, creates a PagerDuty incident, and opens a ticket\n5. **Log** — Stores Medium/Low threats to SIEM and PostgreSQL for audit trail\n6. **Report** — Merges all paths and posts a scan summary to the Slack monitoring channel\n\n## Setup steps\n\n1. **SIEM** — Replace `your-siem-system.com` with your SIEM endpoint in both the log fetch and log write nodes\n2. **Vulnerability scanner** — Update the scanner URL and replace `YOUR_API_KEY` with your credentials\n3. **Threat intel** — Add your API key to the threat intelligence feed node header\n4. **PagerDuty** — Replace `YOUR_PAGERDUTY_KEY` and `YOUR_SERVICE_ID` in the PagerDuty node\n5. **Ticketing** — Update the ticket URL to your Jira or ServiceNow instance and add `YOUR_TICKET_API_KEY`\n6. **Slack** — Set the correct channel IDs in both Slack nodes (alerts channel and monitoring channel)\n7. **Email** — Configure SMTP credentials; update `from` and `to` addresses in the email node\n8. **PostgreSQL** — Ensure a `threat_log` table exists with columns: severity, type, description, timestamp, action_required" }, "typeVersion": 1 }, { "id": "7c9fbfd3-9663-4ad2-84d2-2dc19cf804da", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ -176, 144 ], "parameters": { "color": 4, "width": 440, "height": 876, "content": "## 1. Data collection\n\nTriggers every 15 minutes and fetches network logs, vulnerability scan results, and external threat intelligence feeds in parallel before merging them for analysis." }, "typeVersion": 1 }, { "id": "34565425-c656-4881-928d-32f678ac9cdf", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 304, 352 ], "parameters": { "color": 4, "width": 436, "height": 460, "content": "## 2. Threat analysis\n\nMerges all collected data and runs detection logic to identify brute force attacks, malware signatures, critical vulnerabilities, suspicious traffic patterns, and IOC matches. Each threat is tagged with a severity level." }, "typeVersion": 1 }, { "id": "d929174b-463e-4376-89f0-5a63f282b7f8", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 800, 256 ], "parameters": { "color": 4, "width": 640, "height": 860, "content": "## 3. Alert & remediate\n\nCritical and High threats trigger a Slack alert, a detailed SOC email, a PagerDuty incident, and an incident ticket. Medium and Low threats are logged to SIEM and stored in PostgreSQL." }, "typeVersion": 1 }, { "id": "0a3e7f2b-d06f-45fb-a8dd-33125071246a", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 1488, 336 ], "parameters": { "color": 4, "width": 764, "height": 524, "content": "## 4. Summary report\n\nAll paths merge and a scan summary — total threats by severity and type — is posted to the Slack monitoring channel after every run." }, "typeVersion": 1 }, { "id": "5633b4a5-b9cf-44ea-99ea-0dad8156574c", "name": "Schedule Trigger - Every 15 Minutes", "type": "n8n-nodes-base.scheduleTrigger", "position": [ -144, 496 ], "parameters": { "rule": { "interval": [ { "field": "minutes", "minutesInterval": 15 } ] } }, "typeVersion": 1.2 }, { "id": "9de6147c-8a55-4613-913a-604093822d75", "name": "Fetch Network Logs", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 384 ], "parameters": { "url": "https://your-siem-system.com/api/logs", "method": "POST", "options": {}, "sendBody": true, "sendHeaders": true, "bodyParameters": { "parameters": [ { "name": "time_range", "value": "15m" }, { "name": "log_types", "value": "firewall,ids,auth" } ] }, "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "14354e5f-bb8c-4fa7-852c-d82621fc03bd", "name": "Fetch Vulnerability Scan Results", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 592 ], "parameters": { "url": "https://your-vulnerability-scanner.com/api/scan", "method": "POST", "options": {}, "sendBody": true, "sendHeaders": true, "bodyParameters": { "parameters": [ { "name": "scan_type", "value": "quick" }, { "name": "targets", "value": "internal_network" } ] }, "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Bearer YOUR_TOKEN_HERE" } ] } }, "typeVersion": 4.2 }, { "id": "e6b1d20e-48e5-435f-bc96-621f95c6d1a5", "name": "Fetch Threat Intelligence Feed", "type": "n8n-nodes-base.httpRequest", "position": [ 96, 784 ], "parameters": { "url": "https://api.threatintel.com/v1/threats/recent", "options": {}, "sendHeaders": true, "headerParameters": { "parameters": [ { "name": "X-API-Key", "value": "YOUR_THREAT_INTEL_KEY" } ] } }, "typeVersion": 4.2 }, { "id": "52a555e8-19c0-4cc5-99a3-e780ac8cbc7e", "name": "Merge All Threat Data", "type": "n8n-nodes-base.merge", "position": [ 352, 592 ], "parameters": {}, "typeVersion": 3 }, { "id": "2c8301ec-fa9a-4a4e-a7aa-f26357b26cef", "name": "Analyze & Detect Threats", "type": "n8n-nodes-base.code", "position": [ 608, 592 ], "parameters": { "jsCode": "// Threat Detection Logic\nconst items = $input.all();\nconst threats = [];\n\nfor (const item of items) {\n const data = item.json;\n \n // Check for failed login attempts (Brute Force)\n if (data.failed_logins && data.failed_logins > 10) {\n threats.push({\n severity: 'HIGH',\n type: 'Brute Force Attack',\n source: data.source_ip || 'Unknown',\n description: `${data.failed_logins} failed login attempts detected`,\n timestamp: new Date().toISOString(),\n action_required: 'Block IP and notify SOC'\n });\n }\n \n // Check for critical vulnerabilities\n if (data.vulnerabilities) {\n const criticalVulns = data.vulnerabilities.filter(v => v.severity === 'CRITICAL');\n if (criticalVulns.length > 0) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Critical Vulnerability Detected',\n affected_systems: data.hostname || 'Multiple systems',\n description: `${criticalVulns.length} critical vulnerabilities found`,\n timestamp: new Date().toISOString(),\n action_required: 'Immediate patching required'\n });\n }\n }\n \n // Check for suspicious traffic patterns\n if (data.traffic_volume && data.traffic_volume > 10000) {\n threats.push({\n severity: 'MEDIUM',\n type: 'Suspicious Traffic Pattern',\n source: data.source_ip || 'Unknown',\n description: `Abnormal traffic volume: ${data.traffic_volume} requests`,\n timestamp: new Date().toISOString(),\n action_required: 'Investigate and monitor'\n });\n }\n \n // Check for malware signatures\n if (data.malware_detected === true) {\n threats.push({\n severity: 'CRITICAL',\n type: 'Malware Detection',\n affected_systems: data.hostname || 'Unknown',\n description: `Malware signature: ${data.malware_name || 'Unknown'}`,\n timestamp: new Date().toISOString(),\n action_required: 'Isolate system immediately'\n });\n }\n \n // Check threat intelligence matches\n if (data.ioc_match === true) {\n threats.push({\n severity: 'HIGH',\n type: 'IOC Match',\n indicator: data.indicator || 'Unknown',\n description: `Known threat indicator detected: ${data.indicator_type}`,\n timestamp: new Date().toISOString(),\n action_required: 'Block and investigate'\n });\n }\n}\n\nreturn threats.map(threat => ({ json: threat }));" }, "typeVersion": 2 }, { "id": "e9494946-bdcd-41a9-b685-86cb6c5ddfd4", "name": "Check Threat Severity", "type": "n8n-nodes-base.if", "position": [ 848, 592 ], "parameters": { "options": {}, "conditions": { "options": { "leftValue": "", "caseSensitive": true, "typeValidation": "strict" }, "combinator": "or", "conditions": [ { "id": "condition-1", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.severity }}", "rightValue": "CRITICAL" }, { "id": "condition-2", "operator": { "type": "string", "operation": "equals" }, "leftValue": "={{ $json.severity }}", "rightValue": "HIGH" } ] } }, "typeVersion": 2 }, { "id": "9c1414b8-f5cc-47da-a9de-909901adb984", "name": "Send Slack Alert - Critical", "type": "n8n-nodes-base.slack", "position": [ 1088, 464 ], "webhookId": "d6a0a10f-e8d2-4582-8575-c616319d80b6", "parameters": { "text": "=🚨 **SECURITY ALERT - {{ $json.severity }}**\n\n**Threat Type:** {{ $json.type }}\n**Source/System:** {{ $json.source || $json.affected_systems || $json.indicator }}\n**Description:** {{ $json.description }}\n**Time Detected:** {{ $json.timestamp }}\n**Action Required:** {{ $json.action_required }}\n\n⚠️ Immediate response required!", "select": "channel", "channelId": { "__rl": true, "mode": "id", "value": "C12345678" }, "otherOptions": {} }, "credentials": { "slackApi": { "id": "credential-id", "name": "Slack account - test " } }, "typeVersion": 2.2 }, { "id": "de4c0273-fa6e-4af0-9495-f78695e7e67f", "name": "Send Email Alert - Detailed", "type": "n8n-nodes-base.emailSend", "position": [ 1088, 672 ], "webhookId": "ce029cd9-3d2c-41d6-a482-33fb385b3356", "parameters": { "options": {}, "subject": "=🚨 {{ $json.severity }} Threat Detected: {{ $json.type }}", "toEmail": "user@example.com, user@example.com", "fromEmail": "user@example.com" }, "credentials": { "smtp": { "id": "credential-id", "name": "SMTP -test" } }, "typeVersion": 2.1 }, { "id": "217d7550-3a07-4d86-b8aa-c7013ad4f165", "name": "Create PagerDuty Incident", "type": "n8n-nodes-base.httpRequest", "position": [ 1328, 464 ], "parameters": { "url": "https://api.pagerduty.com/incidents", "method": "POST", "options": {}, "jsonBody": "={\n \"incident\": {\n \"type\": \"incident\",\n \"title\": \"{{ $json.severity }}: {{ $json.type }}\",\n \"service\": {\n \"id\": \"YOUR_SERVICE_ID\",\n \"type\": \"service_reference\"\n },\n \"urgency\": \"high\",\n \"body\": {\n \"type\": \"incident_body\",\n \"details\": \"{{ $json.description }}\\n\\nAction: {{ $json.action_required }}\"\n }\n }\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Token token=YOUR_PAGERDUTY_KEY" }, { "name": "Content-Type", "value": "application/json" }, { "name": "Accept", "value": "application/vnd.pagerduty+json;version=2" } ] } }, "typeVersion": 4.2 }, { "id": "1cc4631b-7d8a-4231-ad8d-c8d70add7faa", "name": "Create Security Ticket", "type": "n8n-nodes-base.httpRequest", "position": [ 1328, 672 ], "parameters": { "url": "https://your-ticketing-system.com/api/tickets", "method": "POST", "options": {}, "jsonBody": "={\n \"title\": \"{{ $json.severity }} Security Threat: {{ $json.type }}\",\n \"description\": \"{{ $json.description }}\\n\\nDetected: {{ $json.timestamp }}\\nAction Required: {{ $json.action_required }}\",\n \"priority\": \"{{ $json.severity === 'CRITICAL' ? 'P1' : 'P2' }}\",\n \"category\": \"Security Incident\",\n \"assigned_to\": \"SOC Team\"\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Authorization", "value": "Bearer YOUR_TOKEN_HERE" }, { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "cc06d7fd-96e9-4e91-b529-80eae70a9787", "name": "Log Medium/Low Threats", "type": "n8n-nodes-base.httpRequest", "position": [ 1088, 896 ], "parameters": { "url": "https://your-siem-system.com/api/events/log", "method": "POST", "options": {}, "jsonBody": "={\n \"event_type\": \"security_threat\",\n \"severity\": \"{{ $json.severity }}\",\n \"threat_type\": \"{{ $json.type }}\",\n \"description\": \"{{ $json.description }}\",\n \"timestamp\": \"{{ $json.timestamp }}\",\n \"source\": \"n8n_threat_detection\"\n}", "sendBody": true, "sendHeaders": true, "specifyBody": "json", "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] } }, "typeVersion": 4.2 }, { "id": "2c5a881f-a51a-41bf-a00e-0f5ddc8beff5", "name": "Store in Database", "type": "n8n-nodes-base.postgres", "position": [ 1344, 896 ], "parameters": { "query": "=INSERT INTO threat_log (severity, type, description, timestamp, action_required)\nVALUES (\n '{{ $json.severity }}',\n '{{ $json.type }}',\n '{{ $json.description }}',\n '{{ $json.timestamp }}',\n '{{ $json.action_required }}'\n);", "options": {}, "operation": "executeQuery" }, "credentials": { "postgres": { "id": "credential-id", "name": "Postgres-test" } }, "typeVersion": 2.5 }, { "id": "8199dd00-b0af-43c3-a5c6-346738debf86", "name": "Merge All Paths", "type": "n8n-nodes-base.merge", "position": [ 1568, 592 ], "parameters": {}, "typeVersion": 3 }, { "id": "81cd1ef3-176a-4c56-b48a-429d24c9f659", "name": "Generate Summary Report", "type": "n8n-nodes-base.code", "position": [ 1808, 592 ], "parameters": { "jsCode": "// Generate Summary Report\nconst items = $input.all();\n\nconst summary = {\n timestamp: new Date().toISOString(),\n total_threats: items.length,\n critical: items.filter(i => i.json.severity === 'CRITICAL').length,\n high: items.filter(i => i.json.severity === 'HIGH').length,\n medium: items.filter(i => i.json.severity === 'MEDIUM').length,\n low: items.filter(i => i.json.severity === 'LOW').length,\n threat_types: [...new Set(items.map(i => i.json.type))],\n status: 'Workflow completed successfully'\n};\n\nreturn [{ json: summary }];" }, "typeVersion": 2 }, { "id": "de5188a7-acc2-48e8-910a-61fdb4f25c7e", "name": "Send Summary to Monitoring Channel", "type": "n8n-nodes-base.slack", "position": [ 2048, 592 ], "webhookId": "c636bac1-5c75-4b12-98ca-4a9583026339", "parameters": { "text": "=✅ **Threat Detection Scan Complete**\n\n**Summary:**\n• Total Threats: {{ $json.total_threats }}\n• Critical: {{ $json.critical }}\n• High: {{ $json.high }}\n• Medium: {{ $json.medium }}\n• Low: {{ $json.low }}\n\n**Threat Types Detected:** {{ $json.threat_types.join(', ') }}\n\n**Scan Time:** {{ $json.timestamp }}", "select": "channel", "channelId": { "__rl": true, "mode": "id", "value": "C87654321" }, "otherOptions": {} }, "credentials": { "slackApi": { "id": "credential-id", "name": "Slack account - test " } }, "typeVersion": 2.2 }, { "parameters": { "operation": "verify", "email": "={{ $json.email || $json.Email }}", "additionalOptions": {} }, "type": "n8n-nodes-billionverify.billionVerify", "typeVersion": 1, "position": [ 728, 672 ], "name": "Verify Email (BillionVerify)", "credentials": { "billionVerifyApi": { "id": "", "name": "BillionVerify account" } } }, { "parameters": { "conditions": { "options": { "caseSensitive": true, "leftValue": "", "typeValidation": "loose" }, "combinator": "and", "conditions": [ { "id": "is-deliverable", "leftValue": "={{ $json.is_deliverable }}", "rightValue": "", "operator": { "type": "boolean", "operation": "true", "singleValue": true } } ] } }, "type": "n8n-nodes-base.if", "typeVersion": 2, "position": [ 908, 672 ], "name": "IF deliverable" } ], "connections": { "Merge All Paths": { "main": [ [ { "node": "Generate Summary Report", "type": "main", "index": 0 } ] ] }, "Fetch Network Logs": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 0 } ] ] }, "Check Threat Severity": { "main": [ [ { "node": "Send Slack Alert - Critical", "type": "main", "index": 0 }, { "node": "Verify Email (BillionVerify)", "type": "main", "index": 0 } ], [ { "node": "Log Medium/Low Threats", "type": "main", "index": 0 } ] ] }, "Merge All Threat Data": { "main": [ [ { "node": "Analyze & Detect Threats", "type": "main", "index": 0 } ] ] }, "Create Security Ticket": { "main": [ [ { "node": "Merge All Paths", "type": "main", "index": 1 } ] ] }, "Log Medium/Low Threats": { "main": [ [ { "node": "Store in Database", "type": "main", "index": 0 } ] ] }, "Generate Summary Report": { "main": [ [ { "node": "Send Summary to Monitoring Channel", "type": "main", "index": 0 } ] ] }, "Analyze & Detect Threats": { "main": [ [ { "node": "Check Threat Severity", "type": "main", "index": 0 } ] ] }, "Create PagerDuty Incident": { "main": [ [ { "node": "Merge All Paths", "type": "main", "index": 0 } ] ] }, "Send Email Alert - Detailed": { "main": [ [ { "node": "Create Security Ticket", "type": "main", "index": 0 } ] ] }, "Send Slack Alert - Critical": { "main": [ [ { "node": "Create PagerDuty Incident", "type": "main", "index": 0 } ] ] }, "Fetch Threat Intelligence Feed": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 1 } ] ] }, "Fetch Vulnerability Scan Results": { "main": [ [ { "node": "Merge All Threat Data", "type": "main", "index": 1 } ] ] }, "Schedule Trigger - Every 15 Minutes": { "main": [ [ { "node": "Fetch Network Logs", "type": "main", "index": 0 }, { "node": "Fetch Vulnerability Scan Results", "type": "main", "index": 0 }, { "node": "Fetch Threat Intelligence Feed", "type": "main", "index": 0 } ] ] }, "Verify Email (BillionVerify)": { "main": [ [ { "node": "IF deliverable", "type": "main", "index": 0 } ] ] }, "IF deliverable": { "main": [ [ { "node": "Send Email Alert - Detailed", "type": "main", "index": 0 } ], [] ] } }, "settings": { "executionOrder": "v1" } }