n8n IP Reputation Check and SOC Alert Workflow

This n8n workflow automates the process of checking IP reputation for SOC alerts and notifying relevant teams via Slack, email, or ServiceNow. It's designed to integrate with Splunk, VirusTotal, and AlienVault (though specific API calls for VirusTotal and AlienVault are not explicitly defined in the provided JSON, the structure allows for their integration).

What it does

This workflow streamlines the handling of security alerts by:

1. Receiving Alerts: It starts by listening for incoming SOC alerts via a webhook. These alerts are expected to contain IP addresses that need reputation checking.
2. IP Reputation Check: It performs an HTTP request, likely to an IP reputation service (e.g., VirusTotal, AlienVault, or a custom threat intelligence feed), to gather information about the provided IP address.
3. Conditional Routing: Based on the results of the IP reputation check, it uses a Switch node to route the alert to different notification channels.
4. Notification:
   • Slack: If certain conditions are met (e.g., high-severity threat), it can post an alert to a designated Slack channel.
   • Gmail: It can send an email notification, potentially to a security team or incident responder.
   • ServiceNow: It can create or update an incident in ServiceNow for formal incident management.
5. Data Transformation (Optional): Includes nodes like Code and HTML which can be used for advanced data manipulation, parsing, or formatting of the alert data before sending notifications, though their specific configuration is not detailed in the JSON.
6. Merging Data: A Merge node is present, suggesting that data from different branches or steps might be combined at certain points in the workflow, for example, aggregating reputation results before a final notification.

Prerequisites/Requirements

To use this workflow, you will need:

• n8n Instance: A running n8n instance.
• Webhook Source: A system (e.g., Splunk) configured to send security alerts to the n8n webhook URL.
• API Endpoints: Access to IP reputation APIs (e.g., VirusTotal, AlienVault, or other threat intelligence platforms) and their corresponding API keys/credentials.
• Slack Account: A Slack workspace and a Slack API token/credential configured in n8n for sending messages.
• Gmail Account: A Google account with Gmail access and a Gmail credential configured in n8n for sending emails.
• ServiceNow Account: A ServiceNow instance and credentials configured in n8n for creating/updating incidents.

Setup/Usage

1. Import the Workflow: Import the provided JSON into your n8n instance.
2. Configure Webhook:
   • Activate the Webhook node and copy its test or production URL.
   • Configure your alert source (e.g., Splunk) to send alerts to this URL.
3. Configure Credentials:
   • Set up credentials for Slack, Gmail, and ServiceNow in your n8n instance.
   • Ensure the HTTP Request node is configured with the correct API endpoint and authentication for your chosen IP reputation service.
4. Customize Nodes:
   • HTTP Request: Adjust the URL, headers, and body to query your specific IP reputation service.
   • Switch: Define the conditions for routing alerts based on the reputation check results (e.g., if (ip_score > 70)).
   • Slack: Customize the channel, message content, and formatting for Slack notifications.
   • Gmail: Configure the recipient, subject, and body for email alerts.
   • ServiceNow: Define the table, fields, and values for creating or updating incidents in ServiceNow.
   • Code/HTML: If needed, configure these nodes to transform or parse data according to your requirements.
5. Activate the Workflow: Once configured, activate the workflow to start processing alerts.