workflows.fit
Back to n8n workflows
n8n templateFreeBy Rizky Febriyan

Automated security alert analysis with Sophos, Gemini AI, and VirusTotal

How It Works This workflow automates the analysis of security alerts from Sophos Central, turning raw events into actionable intelligence. It uses the official Sophos SIEM integration tool to fetch data, enriches it w...

DevelopmentCore NodesCommunicationHITLAILangchainWebhookIf
Loading interactive preview...

Template notes

How It Works This workflow automates the analysis of security alerts from Sophos Central, turning raw events into actionable intelligence. It uses the official Sophos SIEM integration tool to fetch data, enriches it with VirusTotal, and leverages Google Gemini to provide a real-time threat summary and mitigation plan via Telegram.

Prerequisite (Important): This workflow is triggered by a webhook that receives data from an external Python script. You must first set up the Sophos-Central-SIEM-Integration script from the official Sophos GitHub. This script will fetch data and forward it to your n8n webhook URL.

Tool Source Code: [Sophos/Sophos-Central-SIEM-Integration](Sophos/Sophos-Central-SIEM-Integration)

The n8n Workflow Steps Webhook: Receives enriched event and alert data from the external Python script.

IF (Filter): Immediately filters the incoming data to ensure only events with a high or critical severity are processed, reducing noise from low-priority alerts.

Code (Prepare Indicator): Intelligently inspects the Sophos event data to extract the primary threat indicator. It prioritizes indicators in the following order: File Hash (SHA256), URL/Domain, or Source IP.

HTTP Request (VirusTotal): The extracted indicator is sent to the VirusTotal API to get a detailed reputation report, including how many security vendors flagged it as malicious.

Code (Prompt for Gemini): The raw JSON output from VirusTotal is processed into a clean, human-readable summary and a detailed list of flagging vendors.