Background:
I am creating a workflow to normalize all of the different Microsoft Defender for x alerts and forward them to our SOC. There are dozens of different types of alerts. We are starting with the most common types and building a sub workflow for each. This allows us to:
- apply more granular filtering than Microsoft’s alert engine allows
- normalize/extract the key fields so that analysts don’t have to know the event schema for each.
Partial list of event types we see in our data
ASC:AI.Azure_CredentialTheftAttempt
ASC:AI.Azure_DataLeakInModelResponse.Sensitive
ASC:AppServices_WpThemeInjection
ASC:SQL.VM_HarmfulApplication
ASC:Storage.Blob_AM.MalwareFound
ASC:Storage.Blob_GeoAnomaly
ASC:Storage.Blob_MalwareDownload
ASC:Storage.Blob_MalwareScanningCapApproaching
ASC:Storage.Blob_MalwareScanningCapReached
ASC:VM_CustomScriptExtensionUnusualExecution
IPC:AnomalousToken
IPC:AnonymousLogin
IPC:ImpossibleTravel
IPC:UnfamiliarLocation
MCAS:MCAS_ALERT_ANUBIS_DETECTION_RISKY_IP_ANONYMOUS
Office 365 Security and Compliance:AccessGovernance
Office 365 Security and Compliance:ThreatManagement
Question:
Is there a way to have a subworkflow invocation that dynamically finds the sub workflow by name (match by the values above)?
My current approach is to use the Switch node and a separate sub-workflow node for each. That approach is fine for the first few alert types, but won’t really scale (leads to a very messy diagram with dozens of subworkflow boxes and a harder-to-maintain parent/top workflow).
Information on your n8n setup
- n8n version: 1.81.4
- Running n8n via Docker
- Operating system: Ubuntu 22.04.5 LTS