This n8n workflow automates the detection, analysis, and alerting process for potentially malicious files detected by Wazuh. It receives alerts via a webhook, extracts relevant Indicators of Compromise (IOCs), enriches data through VirusTotal, and generates a detailed HTML summary of the threat. If a file is suspected of being malicious or suspicious, the workflow automatically notifies security teams via Slack, creates incidents in ServiceNow, and sends email alerts for quick response. The visual HTML report aids in quick understanding of the threat level, filename, hash, and classification, streamlining incident response and threat management.
Step-by-step process:
1. The workflow is triggered by a Wazuh webhook receiving file integrity alerts.
2. The alert details are extracted, including MD5, SHA1, SHA256 hashes, and other metadata.
3. An initial HTML summary template prepares a clear threat report.
4. The SHA256 hash is validated against VirusTotal to gather detection stats, reputation, threat labels, and tags.
5. A summary JSON object is created, embedding all relevant information and a status indicating if the file is ‘Safe’ or ‘Suspicious’.
6. The workflow filters suspicious files; if flagged as suspicious, it proceeds to notify security teams.
7. Notifications are sent via Slack, ServiceNow incident creation, and email alerts containing the threat summary.
Practical use case:
Security teams can deploy this workflow to automate real-time monitoring and responses for file integrity alerts, ensuring rapid incident management and minimizing potential harm from malicious files.
Reviews
There are no reviews yet.