Automated Email Incident Triage with TheHive and Cortex
detail.loadingPreview
Automate your Security Operations Center (SOC) incident response by triaging suspicious emails. This workflow automatically extracts attachments, creates cases in TheHive, analyzes Indicators of Compromise (IOCs) with Cortex, and enriches them for rapid investigation.
About This Workflow
This robust workflow streamlines your incident response process, starting from the moment a suspicious email is received. It integrates seamlessly with your IMAP email server to detect new messages, especially those with attachments. Once an email is identified, the workflow automatically creates a new incident case in TheHive, extracting and analyzing potential Indicators of Compromise (IOCs) like domains, emails, and IPs using Cortex. It then intelligently enriches these observables with further threat intelligence and reputation checks, empowering your security team to respond faster and more efficiently to potential threats.
Key Features
- Automated Email Monitoring: Automatically processes incoming emails from an IMAP server, focusing on attachments.
- Dynamic TheHive Case Creation: Creates a new case in TheHive for each suspicious email, using attachment details and message IDs.
- Cortex-Powered IOC Extraction: Integrates with Cortex to analyze email attachments and extract critical IOCs like domains, email addresses, and IP addresses.
- Intelligent Observable Enrichment: Automatically enriches extracted IOCs with further threat intelligence, performing email reputation checks and gathering IP intelligence via OTX.
- Conditional Processing: Uses conditional logic to ensure only relevant IOCs are processed and added to TheHive cases.
How To Use
To set up and utilize this powerful workflow, follow these steps:
- Configure IMAP Email Node: Set up your IMAP credentials. Ensure the 'Format' is set to 'Resolved' to properly handle attachments.
- Set Up TheHive Credentials: Create a new 'TheHiveApi' credential in n8n, providing your TheHive server URL and API key. This will be used by all TheHive nodes.
- Set Up Cortex Credentials: Create a new 'CortexApi' credential in n8n, providing your Cortex server URL and API key.
- TheHive (initial artifact & case creation): The 'TheHive' node creates an artifact (your email attachment). The 'Create Case' node promotes this artifact to a full case. These nodes are pre-configured to use data from the 'IMAP Email' node, but you may customize the
titleanddescriptionexpressions if needed. - Analyzer Email & Cortex Nodes: The 'Analyzer Email' node triggers a Cortex analysis job on the email attachment. The 'Cortex' node then retrieves the report. Ensure your Cortex instance has the specified analyzers (
24a64a086a410e1c7d7ace74003c4480::CORTEX) available. - Conditional IOC Handling (IF Node): This node checks if Cortex found any domains, emails, or IPs. No configuration is typically needed here.
- Update Case Domain/Email/IP: These nodes automatically create new observables in TheHive for the detected IOCs. Ensure the correct 'dataType' is selected for each (e.g., 'domain', 'mail', 'ip').
- Email Reputation & OTX IP: These final TheHive nodes trigger additional Cortex analyzers (e.g.,
9902b4e5c58015184b177de13f2151c7::CORTEXfor email reputation,b084bf78d1aea92966b6ef6a4f6193a5::CORTEXfor OTX IP) on the newly created observables to enrich their data. Ensure these analyzers are configured in your Cortex instance.
Apps Used
Workflow JSON
{
"id": "18bdca44-476e-4b88-a86f-fdfdb8d26b66",
"name": "Automated Email Incident Triage with TheHive and Cortex",
"nodes": 14,
"category": "DevOps",
"status": "active",
"version": "1.0.0"
}Note: This is a sample preview. The full workflow JSON contains node configurations, credentials placeholders, and execution logic.
Get This Workflow
ID: 18bdca44-476e...
About the Author
Crypto_Watcher
Web3 Developer
Automated trading bots and blockchain monitoring workflows.
Statistics
Related Workflows
Discover more workflows you might like
Effortless Bug Reporting: Slack Slash Command to Linear Issue
Streamline your bug reporting process by instantly creating Linear issues directly from Slack using a simple slash command. This workflow enhances team collaboration by providing immediate feedback and a structured approach to logging defects, saving valuable time for development and QA teams.
Automate Qualys Report Generation and Retrieval
Streamline your Qualys security reporting by automating the generation and retrieval of reports. This workflow ensures timely access to crucial security data without manual intervention.
Automated PR Merged QA Notifications
Streamline your QA process with this automated workflow that notifies your team upon successful Pull Request merges. Leverage AI and vector stores to enrich notifications and ensure seamless integration into your development pipeline.