HumationHuman + Automation
Back to Catalog

Auto remediate endpoint infections with Wazuh, ClamAV, and GPT-4

mariskarthickmariskarthick
660 views
2/3/2026
ZendeskIntegrationTicket ManagementCustomer SupportFreshdesk
Official Page

Reduce human delays between malware detection and remediation in MSSP/SOC environments. This workflow automates full endpoint antivirus scanning immediately after high-severity endpoint infection wazuh alerts, closing the gap between alerting and action.

Why Use This Workflow?

Malware alerts are only effective if acted upon swiftly. Manual follow-ups are slow or often missed, letting threats persist.

Automates detection, triage, scan initiation, and notification—all within one minute of alerting.

Ensures consistent, auditable actions across endpoints running Linux or Windows.

🔑 Key Features

Listens for high-severity Wazuh AV infection alerts (e.g., rule 52502).

Uses GPT-4 for AI-powered alert summaries to speed triage and decision making.

Extracts exact infected file paths using AI and regex for targeted scanning.

Runs ClamAV/defender scans directly on endpoints via SSH with least-privilege credentials.

Sends real-time scan results and remediation updates through Telegram, Slack, or email.

Runs locally with limited permissions—no need for elevated Wazuh manager access.

🎯 Impact

Eliminates manual lag—scans start automatically and immediately.

Standardizes response playbooks for reliable, repeatable remediation.

Reduces threat dwell time, minimizing risk exposure.

Provides full event-to-remediation visibility via logs and notifications.

🚀 Get Started

Configure Wazuh Manager to forward AV alerts to this n8n webhook.

Import this workflow JSON into your n8n instance.

Set up required credentials: OpenAI API, SSH access for ClamAV scanning, notification channels (Telegram/Slack/email).

Activate the workflow and monitor alerts triggering automated scans and reports.

📂 Enjoy customizing

Swap ClamAV with your preferred antivirus commands (e.g., Defender) as needed.

Integrate with your existing communication or ticketing systems.

Extend or adapt for multi-endpoint orchestration or other alert rules.

Created by Mariskarthick M Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast

Auto-Remediate Endpoint Infections with Wazuh, ClamAV, and GPT-4

This n8n workflow automates the process of detecting, analyzing, and remediating endpoint infections, leveraging Wazuh for security monitoring, ClamAV for antivirus scanning, and GPT-4 for intelligent decision-making and response generation. It aims to streamline incident response for endpoint security threats.

What it does

This workflow is designed to be triggered by an external system (e.g., a Wazuh alert) and then intelligently respond to potential endpoint infections.

  1. Receives Security Alerts: The workflow starts by listening for incoming data via a Webhook, which is expected to contain information about a potential endpoint infection.
  2. Conditional Processing: It uses an "If" node to introduce conditional logic, allowing the workflow to branch based on the content of the incoming alert. This enables different responses for different types of threats or alert severities.
  3. No Operation (Placeholder): A "No Operation" node is present, which typically acts as a placeholder or a point where no action is taken, potentially for debugging or future expansion.
  4. SSH Command Execution: An SSH node is included, indicating the ability to execute commands on a remote server. This is crucial for actions like initiating ClamAV scans, isolating an endpoint, or retrieving further diagnostic information.
  5. AI-Powered Analysis and Remediation:
    • OpenAI Chat Model: An "OpenAI Chat Model" node suggests the use of a Large Language Model (LLM), likely GPT-4, to analyze the threat. This could involve understanding the nature of the infection, suggesting remediation steps, or generating human-readable summaries.
    • AI Agent: An "AI Agent" node (from LangChain) implies a more sophisticated AI interaction, potentially for autonomous decision-making, planning remediation steps, or orchestrating multiple tools based on the LLM's output.
    • Summarization Chain: A "Summarization Chain" node (from LangChain) suggests the capability to summarize complex security logs or incident details into concise reports, likely for human review or further action.
  6. Telegram Notification: Finally, a "Telegram" node is used to send notifications, likely to security teams or administrators, informing them about the detected infection, the actions taken, and the results of the remediation.

Prerequisites/Requirements

To effectively use this workflow, you will need:

  • n8n Instance: A running n8n instance to host the workflow.
  • Webhook Source: An external system (e.g., Wazuh, SIEM) configured to send security alerts to the n8n Webhook URL.
  • SSH Access: Credentials and network access for the n8n instance to connect to target endpoints or security servers via SSH.
  • OpenAI API Key: An API key for OpenAI (or a compatible LLM provider) to utilize the Chat Model, AI Agent, and Summarization Chain nodes.
  • Telegram Bot Token: A Telegram bot token and chat ID(s) for sending notifications.

Setup/Usage

  1. Import the Workflow: Download the provided JSON and import it into your n8n instance.
  2. Configure Credentials:
    • SSH: Set up your SSH credentials within n8n, pointing to the server(s) where you want to execute commands (e.g., to run ClamAV or perform system actions).
    • OpenAI: Configure your OpenAI API key in n8n's credentials section for the "OpenAI Chat Model" node.
    • Telegram: Set up your Telegram Bot API Token and specify the chat ID where notifications should be sent.
  3. Configure Webhook:
    • Activate the "Webhook" trigger node. n8n will provide a unique URL.
    • Configure your external security monitoring system (e.g., Wazuh) to send alerts to this n8n Webhook URL. Ensure the alert payload contains relevant information about the infection (e.g., endpoint name, detected threat, severity).
  4. Customize Logic (If Node): Adjust the conditions in the "If" node to match your specific incident response policies. For example, you might want to differentiate between high-severity and low-severity alerts.
  5. Customize SSH Commands: Modify the SSH node to execute the specific commands required for your environment, such as:
    • clamscan -r /path/to/scan
    • systemctl stop network-manager (for isolation)
    • rm /path/to/malicious/file
  6. Refine AI Prompts: Adjust the prompts and configurations within the "OpenAI Chat Model," "AI Agent," and "Summarization Chain" nodes to ensure the AI provides relevant analysis and generates appropriate responses for your security context.
  7. Activate the Workflow: Once configured, activate the workflow in n8n.

Related Templates

Automate event RSVPs with email validation & badge generation using VerifiEmail & HTMLCssToImage

Validated RSVP Confirmation with Automated Badge Generation Overview: This comprehensive workflow automates the entire event RSVP process from form submission to attendee confirmation, including real-time email validation and personalized digital badge generation. ✨ KEY FEATURES: • Real-time Email Validation - Verify attendee emails using VerifiEmail API to prevent fake registrations • Automated Badge Generation - Create beautiful, personalized event badges with attendee details • Smart Email Routing - Send confirmation emails with badges for valid emails, rejection notices for invalid ones • Comprehensive Logging - Track all RSVPs (both valid and invalid) in Google Sheets for analytics • Dual Path Logic - Handle valid and invalid submissions differently with conditional branching • Anti-Fraud Protection - Detect disposable emails and invalid domains automatically 🔧 WORKFLOW COMPONENTS: Webhook Trigger - Receives RSVP submissions Email Validation - Verifies email authenticity using VerifiEmail API Conditional Logic - Separates valid from invalid submissions Badge Creator - Generates HTML-based personalized event badges Image Converter - Converts HTML badges to shareable PNG images using HTMLCssToImage Email Sender - Delivers confirmation with badge or rejection notice via Gmail Data Logger - Records all attempts in Google Sheets for tracking and analytics 🎯 PERFECT FOR: • Conference organizers managing hundreds of RSVPs • Corporate event planners requiring verified attendee lists • Webinar hosts preventing fake registrations • Workshop coordinators issuing digital badges • Community event managers tracking attendance 💡 BENEFITS: • Reduces manual verification time by 95% • Eliminates fake email registrations • Creates professional branded badges automatically • Provides real-time RSVP tracking and analytics • Improves attendee experience with instant confirmations • Maintains clean, verified contact lists 🛠️ REQUIRED SERVICES: • n8n (cloud or self-hosted) • VerifiEmail API (https://verifi.email) • HTMLCssToImage API (https://htmlcsstoimg.com) • Gmail account (OAuth2) • Google Sheets 📈 USE CASE SCENARIO: When someone submits your event RSVP form, this workflow instantly validates their email, generates a personalized badge with their details, and emails them a confirmation—all within seconds. Invalid emails receive a helpful rejection notice, and every submission is logged for your records. No manual work required! 🎨 BADGE CUSTOMIZATION: The workflow includes a fully customizable HTML badge template featuring: • Gradient background with modern design • Attendee name, designation, and organization • Event name and date • Email address and validation timestamp • Google Fonts (Poppins) for professional typography 📊 ANALYTICS INCLUDED: Track metrics like: • Total RSVPs received • Valid vs invalid email ratio • Event-wise registration breakdown • Temporal patterns • Organization/company distribution ⚡ PERFORMANCE: • Processing time: ~3-5 seconds per RSVP • Scales to handle 100+ concurrent submissions • Email delivery within 10 seconds • Real-time Google Sheets updates 🔄 EASY SETUP: Import the workflow JSON Configure your credentials (detailed instructions included) Create your form with required fields (name, email, event, designation, organization) Connect the webhook Activate and start receiving validated RSVPs! 🎓 LEARNING VALUE: This workflow demonstrates: • Webhook integration patterns • API authentication methods • Conditional workflow branching • HTML-to-image conversion • Email automation best practices • Data logging strategies • Error handling techniques ---

Jitesh DugarBy Jitesh Dugar
67

Automate candidate creation in Recrutei with GPT-4 vacancy matching & resume parsing

Overview: Automated Candidate Creation with AI Vacancy Matching This workflow automates the creation of new candidates in the Recrutei ATS directly from an n8n Form submission, ensuring a seamless "Apply Now" funnel. Its core feature is an AI Agent (OpenAI + Tool) that dynamically identifies the correct Recrutei vacancy_id based on the applicant's selection in the form. The workflow also automatically extracts the text content from the candidate's PDF curriculum and uploads it as an internal observation (note) to the profile. This template eliminates manual data entry, guarantees that candidates are associated with the correct vacancy, and makes the resume content easily searchable within your Recrutei ATS. Workflow Logic & Steps On Form Submission (Form Trigger): The workflow starts when a candidate submits the n8n Form, capturing Name, Email, Phone, the selected Vacancy Name (e.g., "Javascript Developer"), and the Resume (PDF file). Get Vacancy ID from AI (OpenAI): The text name of the vacancy is sent to an AI Agent. The AI, guided by a specific System Prompt, uses the Recrutei's MCP Tool to accurately find the official vacancy_id corresponding to that job title in your ATS. Set Vacancy ID (Set): Extracts the clean vacancy_id (a number) returned by the AI. Get Pipe Stages (HTTP Request): Fetches the pipeline stages associated with the identified vacancy ID. Create Prospect in Recrutei (HTTP Request): Creates the new candidate (Prospect) in the Recrutei ATS, associating them with the correct vacancy_id and the first available pipe stage. Merge Candidate Data (Merge): Merges the prospect creation output with the original form data to ensure all necessary details (like the resume file) are available for the next steps. Extract Text from PDF Resume (Extract from File): Reads and extracts all text content from the uploaded PDF resume file. Add Curriculum as Observation (HTTP Request): Adds the extracted CV text as an internal observation/note (talentobservationtype_id: 11) to the newly created candidate's profile in Recrutei. Setup Instructions To implement this workflow, you must configure the following: Recrutei API Credential: Create a Header Auth credential named Recrutei API (or similar) with: Header Name: Authorization Header Value: Bearer YOURAPIKEY_HERE This credential must be selected in the nodes: Get Pipe Stages, Create Prospect in Recrutei, and Add Curriculum as Observation. AI Configuration: OpenAI: Configure your API Key in the Get Vacancy ID from AI node. Recrutei's MCP: Replace YOURMCPENDPOINTURLHERE in the Endpoint URL field of the Recrutei's MCP node with your actual Recrutei's MCP Server Endpoint URL. For more information about Recrutei API please refer to: https://developers.recrutei.com.br/docs/obtendo-token

Recrutei Automações By Recrutei Automações
82

Personal finance tracker with Telegram Bot, Google Gemini Vision, and Sheets

Personal Finance AI Agent – Telegram Bot (n8n Workflow) A fully automated Telegram-based personal finance tracker that: Accepts receipts as images, PDFs, or plain text Uses Google Gemini Vision for OCR & intelligent extraction Logs every expense into Google Sheets Stores receipt images/PDFs in Google Drive Answers natural-language spending questions ("How much did I spend on food last month?", "Compare this month vs last month", etc.) Built entirely with n8n – 100% self-hostable, no-code/low-code. --- How It Works (Overview) You send a message to your Telegram bot → Photo of a receipt, PDF, or just text like "Nov 10 – 2500 NGN – Uber" Switch node detects the message type: Photo → Branch 0 Document (PDF/other) → Branch 1 Pure text → Branch 2 (goes straight to query agent) Receipt Processing Path (Images & PDFs) Files downloaded from Telegram → uploaded to Google Drive ("Monthly receipts" folder) Images → OCR with Gemini Vision PDFs → native PDF text extraction Extracted text + Drive link → merged → sent to Gemini AI Agent AI extracts: Date (YYYY-MM-DD) • Amount (NGN) • Description • Category (food, transportation, subscriptions, takeouts, entertainment, gift, electricity, repairs, other stuffs) Clean JSON → appended to Google Sheets → friendly confirmation sent back Spending Query Path (Text questions) Second AI Agent with access to the live Google Sheet + calculator + memory Answers anything: totals, breakdowns, comparisons, trends, percentages… --- Live Google Sheet (Template) You can make a copy of the exact sheet the bot uses: https://docs.google.com/spreadsheets/d/1kwWJquPpwL9vt9U06a4f4phXq5jZjaGazvh2V69FGoc/edit?usp=sharing Just click File → Make a copy and use your copy’s ID in the workflow. --- Setup Steps (Step-by-Step) Prerequisites n8n instance (cloud or self-hosted) Telegram bot (created via @BotFather) Google account Create Telegram Bot Message @BotFather → /newbot Copy the bot token In n8n → Credentials → New Telegram API credential → paste token Google Setup Make a copy of the sheet above → Copy the new spreadsheet ID from the URL Create a Google Drive folder called "Monthly receipts" (or any name) → copy folder ID Enable Gemini API in Google Cloud (or use your existing key) In n8n create these credentials: Google Sheets OAuth2 API Google Drive OAuth2 API Google Gemini (PaLM) API Import Workflow Copy the full JSON from the original file n8n → Workflows → Import → paste → Import Update IDs & Credentials After import, configure these nodes: | Node | What to Change | |-----------------------------------|-----------------------------------------------------| | Telegram Trigger + all Telegram nodes | Your Telegram credential | | Google Sheets nodes | Your Google Sheets credential + new Sheet ID | | Google Drive "Upload file" nodes | Paste your "Monthly receipts" folder ID | | Gemini nodes | Your Gemini credential | | AI Agent & AI Agent1 | Verify model, memory, tools are connected | Activate & Test Click Activate Start chatting with your bot on Telegram Test commands Send a photo/PDF receipt Type: How much did I spend last month? Type: Show me food spending this month vs last month You’ll get instant replies and see new rows appear in your sheet! --- Features Zero manual entry ever again Works with handwritten receipts Smart categorization Natural-language spending insights All data stays 100% in your Google account Completely private & self-hostable NGN-native (Naira) Never track expenses manually again!

Anakhuagbor SuleBy Anakhuagbor Sule
868