n8nauto
Get Started

Automate SIEM Alert Enrichment with MITRE ATT&CK, Qdrant & Zendesk in n8n

Automate the enrichment of Security Information and Event Management (SIEM) alerts by integrating MITRE ATT&CK data directly into your Zendesk tickets. This n8n workflow streamlines the process by first pulling MITRE ATT&CK framework data from Google Drive, then embedding and storing this crucial context within a Qdrant vector database. When a new SIEM alert (represented here by a Zendesk ticket) is identified, the workflow queries Qdrant to retrieve relevant MITRE ATT&CK information, leveraging OpenAI for intelligent processing and enrichment, before finally updating the corresponding Zendesk ticket with the enriched data. This solution is invaluable for cybersecurity analysts and SOC teams who need to quickly understand the context and potential threat actors behind alerts, drastically reducing manual research time and improving incident response efficiency by providing immediate, actionable intelligence within their existing ticketing system.

26 nodesmanual trigger217 views0 copiesOther
Google DriveQdrantZendeskOpenAI

Workflow JSON

{"meta": {"instanceId": "cb484ba7b742928a2048bf8829668bed5b5ad9787579adea888f05980292a4a7", "templateCredsSetupCompleted": true}, "nodes": [{"id": "86ddd018-3d6b-46b9-aa93-dedd6c6b5076", "name": "When chat message received", "type": "@n8n/n8n-nodes-langchain.chatTrigger", "position": [-880, 360], "webhookId": "a9668bb8-bbe8-418a-b5c9-ff7dd431244f", "parameters": {"options": {}}, "typeVersion": 1.1}, {"id": "a5ba5090-8e3b-4408-82df-92d2c524039e", "name": "AI Agent", "type": "@n8n/n8n-nodes-langchain.agent", "position": [-680, 360], "parameters": {"options": {"systemMessage": "You are a cybersecurity expert trained on MITRE ATT&CK and enterprise incident response. Your job is to:\n1. Extract TTP information from SIEM data.\n2. Provide actionable remediation steps tailored to the alert.\n3. Cross-reference historical patterns and related alerts.\n4. Recommend external resources for deeper understanding.\n\nEnsure that:\n- TTPs are tagged with the tactic, technique name, and technique ID.\n- Remediation steps are specific and actionable.\n- Historical data includes related alerts and notable trends.\n- External links are relevant to the observed behavior.\n"}}, "typeVersion": 1.7}, {"id": "67c52944-b616-4ea6-9507-e9fb6fcdbe2b", "name": "OpenAI Chat Model", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [-740, 580], "parameters": {"model": "gpt-4o", "options": {}}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1}, {"id": "55f6c16a-51ed-45e4-a1ab-aaaf1d7b5733", "name": "Split Out", "type": "n8n-nodes-base.splitOut", "position": [-720, 1220], "parameters": {"options": {}, "fieldToSplitOut": "data"}, "typeVersion": 1}, {"id": "46a5b8c6-3d34-4e9b-b812-23135f28c278", "name": "Embeddings OpenAI1", "type": "@n8n/n8n-nodes-langchain.embeddingsOpenAi", "position": [-580, 1420], "parameters": {"options": {}}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1.2}, {"id": "561b0737-26d5-450d-bd9e-08e0a608d6f9", "name": "Default Data Loader", "type": "@n8n/n8n-nodes-langchain.documentDefaultDataLoader", "position": [-460, 1440], "parameters": {"options": {"metadata": {"metadataValues": [{"name": "id", "value": "={{ $json.id }}"}, {"name": "name", "value": "={{ $json.name }}"}, {"name": "killchain", "value": "={{ $json.kill_chain_phases }}"}, {"name": "external", "value": "={{ $json.external_references }}"}]}}, "jsonData": "={{ $json.description }}", "jsonMode": "expressionData"}, "typeVersion": 1}, {"id": "6e8a4aed-7e8c-492a-b816-6ab1a98c312a", "name": "Token Splitter1", "type": "@n8n/n8n-nodes-langchain.textSplitterTokenSplitter", "position": [-460, 1620], "parameters": {}, "typeVersion": 1}, {"id": "0c54049e-b5e8-448f-b864-39aeb274de3e", "name": "Window Buffer Memory", "type": "@n8n/n8n-nodes-langchain.memoryBufferWindow", "position": [-580, 580], "parameters": {}, "typeVersion": 1.3}, {"id": "96b776a0-10da-4f70-99d0-ad6b6ee8fcca", "name": "Embeddings OpenAI2", "type": "@n8n/n8n-nodes-langchain.embeddingsOpenAi", "position": [-460, 720], "parameters": {"model": "text-embedding-3-large", "options": {"dimensions": 1536}}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1.2}, {"id": "695fba89-8f42-47c3-9d86-73f4ea0e72df", "name": "Extract from File", "type": "n8n-nodes-base.extractFromFile", "position": [-920, 1220], "parameters": {"options": {}, "operation": "fromJson"}, "typeVersion": 1}, {"id": "0b9897b0-149b-43ce-b66c-e78552729aa5", "name": "When clicking \u2018Test workflow\u2019", "type": "n8n-nodes-base.manualTrigger", "position": [-1360, 1220], "parameters": {}, "typeVersion": 1}, {"id": "d8c29a14-0389-4748-a9de-686bf9a682c5", "name": "AI Agent1", "type": "@n8n/n8n-nodes-langchain.agent", "position": [-540, -440], "parameters": {"text": "=Siem Alert Data:\nAlert: {{ $json.raw_subject }}\nDescription: {{ $json.description }}", "options": {"systemMessage": "You are a cybersecurity expert trained on MITRE ATT&CK and enterprise incident response. Your job is to:\n1. Extract TTP information from SIEM data.\n2. Provide actionable remediation steps tailored to the alert.\n3. Cross-reference historical patterns and related alerts.\n4. Recommend external resources for deeper understanding.\n\nEnsure that:\n- TTPs are tagged with the tactic, technique name, and technique ID.\n- Remediation steps are specific and actionable.\n- Historical data includes related alerts and notable trends.\n- External links are relevant to the observed behavior.\n\nPlease output your response in html format, but do not include ```html at the beginning \n"}, "promptType": "define", "hasOutputParser": true}, "typeVersion": 1.7}, {"id": "55d0b00a-5046-45fa-87cb-cb0257caae87", "name": "OpenAI Chat Model1", "type": "@n8n/n8n-nodes-langchain.lmChatOpenAi", "position": [-600, -220], "parameters": {"model": "gpt-4o", "options": {}}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1}, {"id": "9b53566b-e021-403d-9d78-28504c5c1dfa", "name": "Embeddings OpenAI", "type": "@n8n/n8n-nodes-langchain.embeddingsOpenAi", "position": [-320, -40], "parameters": {"model": "text-embedding-3-large", "options": {"dimensions": 1536}}, "credentials": {"openAiApi": {"id": "", "name": "[Your openAiApi]"}}, "typeVersion": 1.2}, {"id": "f3b44ef5-e928-4662-81ef-4dd044829607", "name": "Loop Over Items", "type": "n8n-nodes-base.splitInBatches", "position": [-940, -440], "parameters": {"options": {}}, "typeVersion": 3}, {"id": "cc572b71-65c9-460c-bdcd-1d20feb15b32", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [-1460, 940], "parameters": {"color": 7, "width": 1380, "height": 820, "content": "![n8n](https://uploads.n8n.io/templates/qdrantlogo.png)\n## Embed your Vector Store\nTo provide data for your Vector store, you need to pass it in as JSON, and ensure it's setup correctly. This flow pulls the JSON file from Google Drive and extracts the JSON data and then passes it into the qdrant collection. "}, "typeVersion": 1}, {"id": "d5052d52-bec2-4b70-b460-6d5789c28d2c", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [-1460, 220], "parameters": {"color": 7, "width": 1380, "height": 680, "content": "![n8n](https://uploads.n8n.io/templates/n8n.png)\n## Talk to your Vector Store\nNow that your vector store has been updated with the embedded data, \nyou can use the n8n chat interface to talk to your data using OpenAI, \nOllama, or any of our supported LLMs."}, "typeVersion": 1}, {"id": "5cb478f6-17f3-4d7a-9b66-9e0654bd1dc9", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [-1460, -700], "parameters": {"color": 7, "width": 2140, "height": 900, "content": "![Servicenow](https://uploads.n8n.io/templates/zendesk.png)\n## Deploy your Vector Store\nThis flow adds contextual information to your tickets using the Mitre Attack framework to help contextualize the ticket data."}, "typeVersion": 1}, {"id": "71ee28f5-84a2-4c6c-855a-6c7c09b2d62a", "name": "Structured Output Parser", "type": "@n8n/n8n-nodes-langchain.outputParserStructured", "position": [0, -160], "parameters": {"jsonSchemaExample": "{\n \"ttp_identification\": {\n \"alert_summary\": \"The alert indicates a check-in from the NetSupport RAT, a known Remote Access Trojan, suggesting command and control (C2) communication.\",\n \"mitre_attack_ttps\": [\n {\n \"tactic\": \"Command and Control\",\n \"technique\": \"Protocol or Service Impersonation\",\n \"technique_id\": \"T1001.003\",\n \"description\": \"The RAT's check-in over port 443 implies potential masquerading of its traffic as legitimate SSL/TLS traffic, a tactic often used to blend C2 communications with normal web traffic.\",\n \"reference\": \"https://attack.mitre.org/techniques/T1001/003/\"\n }\n ]\n },\n \"remediation_steps\": {\n \"network_segmentation\": {\n \"action\": \"Isolate the affected host\",\n \"target\": \"10.11.26.183\",\n \"reason\": \"Prevents further C2 communication or lateral movement.\"\n },\n \"endpoint_inspection\": {\n \"action\": \"Perform a thorough inspection\",\n \"target\": \"Impacted endpoint\",\n \"method\": \"Use endpoint detection and response (EDR) tools to check for additional persistence mechanisms.\"\n },\n \"network_traffic_analysis\": {\n \"action\": \"Investigate and block unusual traffic\",\n \"target\": \"IP 194.180.191.64\",\n \"method\": \"Implement blocks for the IP across the firewall or IDS/IPS systems.\"\n },\n \"system_patching\": {\n \"action\": \"Ensure all systems are updated\",\n \"method\": \"Apply the latest security patches to mitigate vulnerabilities exploited by RAT malware.\"\n },\n \"ioc_hunting\": {\n \"action\": \"Search for Indicators of Compromise (IoCs)\",\n \"method\": \"Check for NetSupport RAT IoCs across other endpoints within the network.\"\n }\n },\n \"historical_patterns\": {\n \"network_anomalies\": \"Past alerts involving similar attempts to use standard web ports (e.g., 80, 443) for non-standard applications could suggest a broader attempt to blend malicious traffic into legitimate streams.\",\n \"persistence_tactics\": \"Any detection of anomalies in task scheduling or shortcut modifications may indicate persistence methods similar to those used by RATs.\"\n },\n \"external_resources\": [\n {\n \"title\": \"ESET Report on Okrum and Ketrican\",\n \"description\": \"Discusses similar tactics involving protocol impersonation and C2.\",\n \"url\": \"https://www.eset.com/int/about/newsroom/research/okrum-ketrican/\"\n },\n {\n \"title\": \"Malleable C2 Profiles\",\n \"description\": \"Document on crafting custom C2 traffic profiles similar to the targeting methods used by NetSupport RAT.\",\n \"url\": \"https://www.cobaltstrike.com/help-malleable-c2\"\n },\n {\n \"title\": \"MITRE ATT&CK Technique Overview\",\n \"description\": \"Overview of Protocol or Service Impersonation tactics.\",\n \"url\": \"https://attack.mitre.org/techniques/T1001/003/\"\n }\n ]\n}\n"}, "typeVersion": 1.2}, {"id": "3aeb973d-22e5-4eaf-8fe8-fae3447909e1", "name": "Pull Mitre Data From Gdrive", "type": "n8n-nodes-base.googleDrive", "position": [-1140, 1220], "parameters": {"fileId": {"__rl": true, "mode": "list", "value": "1oWBLO5AlIqbgo9mKD1hNtx92HdC6O28d", "cachedResultUrl": "https://drive.google.com/file/d/1oWBLO5AlIqbgo9mKD1hNtx92HdC6O28d/view?usp=drivesdk", "cachedResultName": "cleaned_mitre_attack_data.json"}, "options": {}, "operation": "download"}, "credentials": {"googleDriveOAuth2Api": {"id": "", "name": "[Your googleDriveOAuth2Api]"}}, "typeVersion": 3}, {"id": "3b35633c-de80-4062-8497-cb65092d5708", "name": "Embed JSON in Qdrant Collection", "type": "@n8n/n8n-nodes-langchain.vectorStoreQdrant", "position": [-520, 1220], "parameters": {"mode": "insert", "options": {}, "qdrantCollection": {"__rl": true, "mode": "id", "value": "mitre"}}, "credentials": {"qdrantApi": {"id": "", "name": "[Your qdrantApi]"}}, "typeVersion": 1}, {"id": "5f7f2fd8-276f-4b3a-ae88-1f1765967883", "name": "Query Qdrant Vector Store", "type": "@n8n/n8n-nodes-langchain.vectorStoreQdrant", "position": [-480, 580], "parameters": {"mode": "retrieve-as-tool", "options": {}, "toolName": "mitre_attack_vector_store", "toolDescription": "The mitre_attack_vector_store is a knowledge base trained on the MITRE ATT&CK framework. It is designed to help identify, correlate, and provide context for cybersecurity incidents based on textual descriptions of alerts, events, or behaviors. This tool leverages precomputed embeddings of attack techniques, tactics, and procedures (TTPs) to map user queries (such as SIEM-generated alerts or JIRA ticket titles) to relevant MITRE ATT&CK techniques.\n\nBy analyzing input text, the vector store can:\n\nRetrieve the most relevant MITRE ATT&CK entries (e.g., techniques, tactics, descriptions, external references).\nProvide structured context about potential adversary behaviors.\nSuggest remediation actions or detection methods based on the input.", "qdrantCollection": {"__rl": true, "mode": "list", "value": "mitre", "cachedResultName": "mitre"}}, "credentials": {"qdrantApi": {"id": "", "name": "[Your qdrantApi]"}}, "typeVersion": 1}, {"id": "298ffc29-1d60-4c05-92c6-a61071629a3f", "name": "Qdrant Vector Store query", "type": "@n8n/n8n-nodes-langchain.vectorStoreQdrant", "position": [-320, -200], "parameters": {"mode": "retrieve-as-tool", "options": {}, "toolName": "mitre_attack_vector_store", "toolDescription": "The mitre_attack_vector_store is a knowledge base trained on the MITRE ATT&CK framework. It is designed to help identify, correlate, and provide context for cybersecurity incidents based on textual descriptions of alerts, events, or behaviors. This tool leverages precomputed embeddings of attack techniques, tactics, and procedures (TTPs) to map user queries (such as SIEM-generated alerts or JIRA ticket titles) to relevant MITRE ATT&CK techniques.\n\nBy analyzing input text, the vector store can:\n\nRetrieve the most relevant MITRE ATT&CK entries (e.g., techniques, tactics, descriptions, external references).\nProvide structured context about potential adversary behaviors.\nSuggest remediation actions or detection methods based on the input.", "qdrantCollection": {"__rl": true, "mode": "list", "value": "mitre", "cachedResultName": "mitre"}}, "credentials": {"qdrantApi": {"id": "", "name": "[Your qdrantApi]"}}, "typeVersion": 1}, {"id": "c47f0ae6-106d-46da-afc3-f7afb86923ff", "name": "Get all Zendesk Tickets", "type": "n8n-nodes-base.zendesk", "position": [-1180, -440], "parameters": {"options": {}, "operation": "getAll"}, "credentials": {"zendeskApi": {"id": "", "name": "[Your zendeskApi]"}}, "typeVersion": 1}, {"id": "0ec2c505-5721-41af-91c8-1b0b55826d9e", "name": "Update Zendesk with Mitre Data", "type": "n8n-nodes-base.zendesk", "position": [0, -360], "parameters": {"id": "={{ $('Loop Over Items').item.json.id }}", "operation": "update", "updateFields": {"internalNote": "=Summary: {{ $json.output.ttp_identification.alert_summary }}\n\n", "customFieldsUi": {"customFieldsValues": [{"id": 34479547176212, "value": "={{ $json.output.ttp_identification.mitre_attack_ttps[0].technique_id }}"}, {"id": 34479570659732, "value": "={{ $json.output.ttp_identification.mitre_attack_ttps[0].tactic }}"}]}}}, "credentials": {"zendeskApi": {"id": "", "name": "[Your zendeskApi]"}}, "typeVersion": 1}, {"id": "6a74a6d4-610a-4a13-afe4-7bb03d83d4c8", "name": "Move on to next ticket", "type": "n8n-nodes-base.noOp", "position": [360, -80], "parameters": {}, "typeVersion": 1}], "pinData": {}, "connections": {"AI Agent": {"main": [[]]}, "AI Agent1": {"main": [[{"node": "Update Zendesk with Mitre Data", "type": "main", "index": 0}]]}, "Split Out": {"main": [[{"node": "Embed JSON in Qdrant Collection", "type": "main", "index": 0}]]}, "Loop Over Items": {"main": [[], [{"node": "AI Agent1", "type": "main", "index": 0}]]}, "Token Splitter1": {"ai_textSplitter": [[{"node": "Default Data Loader", "type": "ai_textSplitter", "index": 0}]]}, "Embeddings OpenAI": {"ai_embedding": [[{"node": "Qdrant Vector Store query", "type": "ai_embedding", "index": 0}]]}, "Extract from File": {"main": [[{"node": "Split Out", "type": "main", "index": 0}]]}, "OpenAI Chat Model": {"ai_languageModel": [[{"node": "AI Agent", "type": "ai_languageModel", "index": 0}]]}, "Embeddings OpenAI1": {"ai_embedding": [[{"node": "Embed JSON in Qdrant Collection", "type": "ai_embedding", "index": 0}]]}, "Embeddings OpenAI2": {"ai_embedding": [[{"node": "Query Qdrant Vector Store", "type": "ai_embedding", "index": 0}]]}, "OpenAI Chat Model1": {"ai_languageModel": [[{"node": "AI Agent1", "type": "ai_languageModel", "index": 0}]]}, "Default Data Loader": {"ai_document": [[{"node": "Embed JSON in Qdrant Collection", "type": "ai_document", "index": 0}]]}, "Window Buffer Memory": {"ai_memory": [[{"node": "AI Agent", "type": "ai_memory", "index": 0}]]}, "Move on to next ticket": {"main": [[{"node": "Loop Over Items", "type": "main", "index": 0}]]}, "Get all Zendesk Tickets": {"main": [[{"node": "Loop Over Items", "type": "main", "index": 0}]]}, "Structured Output Parser": {"ai_outputParser": [[{"node": "AI Agent1", "type": "ai_outputParser", "index": 0}]]}, "Qdrant Vector Store query": {"ai_tool": [[{"node": "AI Agent1", "type": "ai_tool", "index": 0}]]}, "Query Qdrant Vector Store": {"ai_tool": [[{"node": "AI Agent", "type": "ai_tool", "index": 0}]]}, "When chat message received": {"main": [[{"node": "AI Agent", "type": "main", "index": 0}]]}, "Pull Mitre Data From Gdrive": {"main": [[{"node": "Extract from File", "type": "main", "index": 0}]]}, "Update Zendesk with Mitre Data": {"main": [[{"node": "Move on to next ticket", "type": "main", "index": 0}]]}, "When clicking \u2018Test workflow\u2019": {"main": [[{"node": "Pull Mitre Data From Gdrive", "type": "main", "index": 0}]]}}}

How to Import This Workflow

  1. 1Copy the workflow JSON above using the Copy Workflow JSON button.
  2. 2Open your n8n instance and go to Workflows.
  3. 3Click Import from JSON and paste the copied workflow.

Don't have an n8n instance? Start your free trial at n8nautomation.cloud

Related Templates

Visualize your SQL Agent queries with OpenAI and Quickchart.io

Visualize your SQL Agent queries with OpenAI and Quickchart.io empowers you to instantly transform complex SQL Agent query results into insightful charts and graphs, all through a simple chat interface. This workflow connects an OpenAI Chat Model to interpret your chat messages, determine if a chart is needed using a Text Classifier, and then leverages Quickchart.io by generating a chart definition with structured output via an HTTP Request node. It automates the entire process from receiving a chat message to extracting the user's question, passing it to an AI Agent, and then conditionally generating and displaying a chart, saving significant time and effort for data analysts, developers, and business intelligence professionals who frequently need to visualize their SQL data. By automating chart generation, this workflow eliminates the manual steps of data extraction, chart selection, and configuration, allowing users to quickly gain visual insights from their SQL Agent queries without needing to switch between multiple tools or possess advanced charting skills.

19 nodes

Integrating AI with Open-Meteo API for Enhanced Weather Forecasting

Enhance your weather forecasting capabilities by integrating artificial intelligence with real-time meteorological data. This workflow automates the process of generating detailed weather forecasts based on user queries, leveraging the power of OpenAI to interpret requests and the Open-Meteo API to retrieve accurate weather information. It connects a chat interface, triggered by a "When chat message received" node, directly to a Generic AI Tool Agent. This agent then intelligently utilizes two custom tools: one to convert a city name into geographical coordinates via an HTTP request, and another to fetch the weather forecast from Open-Meteo using those coordinates, all while maintaining conversational context with the Chat Memory Buffer. This setup is ideal for developers building intelligent assistants, businesses needing dynamic weather insights for logistics or event planning, or anyone requiring an AI-driven, conversational interface for weather information, solving the challenge of manually looking up forecasts and providing a more intuitive user experience. By automating the data retrieval and interpretation, this workflow significantly reduces the time and effort involved in accessing and understanding weather patterns, allowing for quicker decision-making and improved operational efficiency.

12 nodes

Qualify replies from Pipedrive persons with AI

Automate the qualification of inbound email replies from Pipedrive contacts using artificial intelligence. This workflow connects Gmail and OpenAI to your Pipedrive CRM, streamlining your lead nurturing process. When a new email arrives in either of your specified Gmail inboxes (Email box 1 or Email box 2), the workflow searches for the sender as a person in Pipedrive. It then retrieves their full person details and sends the email content to OpenAI for an AI-powered assessment of interest (Is interested?). Based on OpenAI's response, if the person is deemed interested, a new deal is automatically created in Pipedrive, ensuring hot leads are immediately acted upon. This is ideal for sales teams, marketers, and business development professionals who receive a high volume of email replies and need to quickly identify and prioritize genuinely interested prospects, saving significant manual review time and accelerating sales cycles.

11 nodes

Ready to automate with n8n?

Get affordable managed n8n hosting with 24/7 support.