mariskarthick
An Open-source enthusiast driving next-gen Detection Engineering, Threat Hunting, and SOC Automation — turning ideas into tools that empower security teams to detect and respond faster than ever.
Templates by mariskarthick
Automate Wazuh alert triage and reporting with GPT-4o-mini and Telegram
🚨Are alert storms overwhelming your Security Operations workflows? This n8n workflow supercharges your SOC by fully automating triage, analysis, and notification for Wazuh alerts—blending event-driven automation, OpenAI-powered contextual analysis, and real-time collaboration for incident response. 🔑 Key Features: ✅ Automated Triage: Instantly filters Wazuh alerts by severity to focus analyst effort on the signals that matter. 🤖 AI-Driven Investigation Reports: Uses OpenAI's GPT-4o-mini to auto-generate context-rich incident reports, including: MITRE Tactic & Technique mapping Impacted scope (IP addresses, hostnames) External artifact reputation checks Actionable security recommendations Fully customizable prompt format aligned with your SOC playbooks 📡 Multi-Channel Notification Delivers clean, actionable reports directly to your SOC team via Telegram. Easily extendable to Slack, Outlook, Gmail, Discord, or any other preferred channel. 🔇 Noise Reduction Eliminates alert fatigue using smart filters and custom AI prompts that suppress false positives and highlight real threats. 🔧 Fully Customizable Tweak severity thresholds, update prompt logic, or integrate additional data sources and channels — all with minimal effort --- ⚙️ How It Works Webhook Listens for incoming Wazuh alerts in real time. If Condition Filters based on severity (1 low, 2 medium, etc.) or other logic you define. AI Investigation (LangChain + OpenAI) Summarizes full alert logs and context using custom prompts to generate: Incident Overview Key Indicators Log Analysis Threat Classification Risk Assessment Security Recommendations Notification Delivery The report is parsed, cleaned, and sent to your SOC team in real-time, enabling rapid response — even during high-alert volumes. No-Op Path Efficiently discards irrelevant alerts without breaking the flow. --- 🧠 Why n8n + AI? Traditional alert triage is manual, slow, and error-prone — leading to analyst burnout and missed critical threats. This workflow shows how combining workflow automation with a tailored AI model enables your SOC to shift from reactive to proactive. Analysts can now: Focus on critical investigations Respond to alerts faster Eliminate copy-paste fatigue Get instant contextual summaries > ⚠️ Note: We learned that generic AI isn’t enough. Context-rich prompts and alignment with your actual SOC processes are key to meaningful, scalable automation. --- 🚀 Ready to build a smarter, less stressful SOC? Clone this workflow, adapt it to your processes, and never miss a critical alert again. 📬 Contributions welcome! Feel free to raise PRs, suggest new enhancements, or fork for your own use cases. --- Created by Mariskarthick M Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast
By mariskarthickCybersecurity assistant with GPT-4, Telegram bot & command execution
QuantumDefender AI is a next-generation intelligent cybersecurity assistant designed to harness the symbolic strength of quantum computing’s promise alongside cutting-edge AI capabilities. This sophisticated agent empowers SOC analysts, red teamers, and security researchers with rapid threat investigation, operational automation, and intelligent command execution—all driven by GPT-4 and integrated tools, accessible through Telegram or on any medium. --- 🔑 Key Features: Expert-Level Cybersecurity Research & Analysis: Leverages powerful AI models to deliver clean, detailed, domain-specific insights across detection, remediation, and offensive security. Command & Control: Executes Linux shell commands, autonomous scripts, and system operations securely in isolated environments. Real-Time Web Intelligence: Utilizes integrated Langsearch API to provide timely internet research with contextual relevance. Calendar & Scheduling Automation: Manage Google Calendar events or any similar application(create, update, delete, retrieve) dynamically from chat. Multi-Tool Orchestration: Combines calculator functions, internet searches, command execution, and messaging for comprehensive operational support. Telegram-native Chatbot: Delivers an adaptive, memory-informed, and interactive conversational experience with immediate typing indicators and high responsiveness. --- Conversation & Session Management: Maintains context-aware, session-based memory to enable smooth, multi-turn dialogues with individual users. Sends “typing…” indicators during processing to ensure an interactive, user-friendly chat experience. Operates exclusively within Telegram, delivering rich, timely responses and leveraging all Telegram bot capabilities. --- Execution Intelligence & Safety: Fully autonomous in deciding which tools to invoke, how frequently, and in what sequence to fulfill user requests comprehensively and responsibly. Operates within a secure temporary folder environment to contain all command executions safely and avoid persistent or harmful side effects. Enforces strict safety protocols to avoid running malicious or destructive commands, maintaining ethical standards and compliance. ---- Use Cases: Cybersecurity researchers and operators seeking an intelligent assistant to accelerate investigations and automate routine tasks. Red team professionals requiring on-the-fly command execution and information gathering integrated with tactical chat interactions. SOC teams aiming to augment their alert triage and incident handling workflows with AI-powered analysis and action. Anyone looking for a robust multi-tool AI chatbot integrated with real-world operational capabilities. --- Setup Requirements: OpenAI API key for GPT-4.1-nano language processing. Telegram Bot API credentials with proper webhook setup to receive and respond to messages. Google OAuth credentials for Calendar integration if calendar features are used. SSH access credentials for executing commands on remote hosts, if remote execution is enabled. Internet connectivity for the Langsearch web search API. --- Customization & Extensibility: The workflow is built modularly with n8n’s flexible node system. Users can extend it by adding more tools, integrating other services (ticketing, threat intel, scanning tools), or modifying interaction logic to suit specialized operational needs and environments. --- Created by Mariskarthick M Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast
By mariskarthickAuto remediate endpoint infections with Wazuh, ClamAV, and GPT-4
Reduce human delays between malware detection and remediation in MSSP/SOC environments. This workflow automates full endpoint antivirus scanning immediately after high-severity endpoint infection wazuh alerts, closing the gap between alerting and action. Why Use This Workflow? Malware alerts are only effective if acted upon swiftly. Manual follow-ups are slow or often missed, letting threats persist. Automates detection, triage, scan initiation, and notification—all within one minute of alerting. Ensures consistent, auditable actions across endpoints running Linux or Windows. --- 🔑 Key Features Listens for high-severity Wazuh AV infection alerts (e.g., rule 52502). Uses GPT-4 for AI-powered alert summaries to speed triage and decision making. Extracts exact infected file paths using AI and regex for targeted scanning. Runs ClamAV/defender scans directly on endpoints via SSH with least-privilege credentials. Sends real-time scan results and remediation updates through Telegram, Slack, or email. Runs locally with limited permissions—no need for elevated Wazuh manager access. --- 🎯 Impact Eliminates manual lag—scans start automatically and immediately. Standardizes response playbooks for reliable, repeatable remediation. Reduces threat dwell time, minimizing risk exposure. Provides full event-to-remediation visibility via logs and notifications. --- 🚀 Get Started Configure Wazuh Manager to forward AV alerts to this n8n webhook. Import this workflow JSON into your n8n instance. Set up required credentials: OpenAI API, SSH access for ClamAV scanning, notification channels (Telegram/Slack/email). Activate the workflow and monitor alerts triggering automated scans and reports. --- 📂 Enjoy customizing Swap ClamAV with your preferred antivirus commands (e.g., Defender) as needed. Integrate with your existing communication or ticketing systems. Extend or adapt for multi-endpoint orchestration or other alert rules. --- Created by Mariskarthick M Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast
By mariskarthickAutomated Wazuh rule deployment pipeline with GitHub, XML validation & Telegram alerts
🚀 Say Goodbye to Manual Rule Deployments in Wazuh! Just Commit— Let Your Pipeline Auto‑Deploy via GitHub + n8n 🎯 👨💻 Tired of This Endless Cycle? Create rule → Validate → Copy to server → Restart Wazuh → Notify team Repeat that every week — you’re spending more time deploying than detecting. What if one GitHub commit could do it all automatically? ✅ Validate ✅ Deploy ✅ Restart ✅ Notify — without touching the server. Well, this workflow does just that. 🔥 Presenting: ⚡️ Git‑Powered Wazuh Rule Deployment Using n8n --- 🧠 What This Workflow Does in 10 Seconds — Automatically: ✅ Watches GitHub commits — triggers only if the message contains deploy-wazuh ✅ Checks if commit author is allowed ✅ Sends contextual SOC notifications about deployment attempt 🧪 Downloads & validates rule XML using xmllint 📦 Uploads to Wazuh Manager node only if validation succeeds ♻️ Restarts Wazuh Manager and verifies loading 📢 Sends alert to your team on Telegram (or other medium) with result: success/failure & reasons --- 🧠 Why Detection Engineers Will Love This: ⏱️ Saves hours weekly — Just commit & chill 🕒 Zero‑delay deployments — Go live instantly 🧪 Stops bad rules before they crash your SIEM 🔁 Rapid iteration — build, commit, done 🧘 No babysitting — Pipeline handles everything 📊 Informative alerts like: "Rule custommalwarealert.xml deployed by Mariskarthick – Validation ✅ – Restart 🔁 Completed" --- 📌 Perfect For: 🛡️ Detection Engineers deploying rules weekly 🏢 MSSPs with multiple Wazuh environments 🚨 Threat Intel teams needing rapid turnaround --- 💥 This Isn’t Just Automation — It’s Detection Engineering at Its Finest. Let your GitHub commits trigger real‑time rule deployment — with validation, restart, and SOC alerts built‑in. Commit. Deploy. Detect. --- Created by Mariskarthick M Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast
By mariskarthick