Automated Malicious File Detection with Wazuh and n8n
detail.loadingPreview
Proactively identify and respond to malicious file detections on your network. This workflow automates the process of receiving Wazuh alerts, analyzing file reputation, and generating security incidents.
About This Workflow
This n8n workflow is designed to enhance your security posture by automating the detection and notification of malicious file activities. When Wazuh identifies a suspicious file, this workflow springs into action. It captures the alert, extracts crucial Indicators of Compromise (IOCs), and then queries a threat intelligence service (like VirusTotal, inferred from node 'Generate File Summary') to gather detailed analysis and reputation data. If the file is flagged as suspicious or malicious, a comprehensive summary is generated, and an incident is automatically created in ServiceNow. Finally, a detailed email alert is sent to the security team, providing immediate visibility into potential threats.
Key Features
- Real-time Threat Detection: Leverages Wazuh for immediate identification of suspicious files.
- Automated Threat Intelligence Integration: Enriches alerts with reputation and analysis data.
- Intelligent Incident Creation: Automatically generates ServiceNow incidents for suspicious files.
- Customizable Email Notifications: Informs stakeholders with a detailed summary of the threat.
- Comprehensive File Analysis: Provides critical details like SHA256 hash, reputation, and threat labels.
How To Use
- Configure Wazuh Webhook: Set up a Wazuh webhook to send alerts to the specified n8n webhook URL (
file_validationpath). - Set up ServiceNow Credentials: Configure your ServiceNow API credentials (basic authentication) in n8n.
- Configure Gmail Credentials: Set up your Gmail OAuth2 credentials in n8n for email notifications.
- Review and Deploy: Review the workflow logic, particularly the
Extract IOCsandGenerate File Summarynodes, to ensure they align with your threat intelligence sources and analysis requirements. - Connect Nodes: Ensure the output of the
Wazuh Alertwebhook node is connected toExtract IOCs,Extract IOCstoGenerate File Summary,Generate File SummarytoFilter Suspicious Filesandfile summary displaynodes. - Route Suspicious Alerts: Connect the 'Suspicious' output of the
Filter Suspicious Filesnode to both theCreate File IncidentandGmail1nodes. Thefile summary displaynode should receive input fromGenerate File Summaryto render the HTML content before it's sent via email.
Apps Used
Workflow JSON
{
"id": "5331f388-1c61-43c1-b5fb-7d8409a72a3e",
"name": "Automated Malicious File Detection with Wazuh and n8n",
"nodes": 26,
"category": "DevOps",
"status": "active",
"version": "1.0.0"
}Note: This is a sample preview. The full workflow JSON contains node configurations, credentials placeholders, and execution logic.
Get This Workflow
ID: 5331f388-1c61...
About the Author
N8N_Community_Pick
Curator
Hand-picked high quality workflows from the global community.
Statistics
Related Workflows
Discover more workflows you might like
Automated PR Merged QA Notifications
Streamline your QA process with this automated workflow that notifies your team upon successful Pull Request merges. Leverage AI and vector stores to enrich notifications and ensure seamless integration into your development pipeline.
Automate Qualys Report Generation and Retrieval
Streamline your Qualys security reporting by automating the generation and retrieval of reports. This workflow ensures timely access to crucial security data without manual intervention.
Visualize Your n8n Workflows: Interactive Dashboard with Mermaid.js
Gain unparalleled visibility into your n8n automation landscape. This workflow transforms your n8n instance into a dynamic, interactive dashboard, leveraging Mermaid.js to visualize all your workflows in one accessible place.