Hi everyone,
I’m building a SOAR (Security Orchestration, Automation, and Response) workflow in n8n, and I’d love guidance or example workflows.
My Use Case:
I’m receiving alerts from Elasticsearch (via webhook) into n8n, and I want to automate the following pipeline:
- Parse and normalize the webhook alert data (from Elasticsearch).
- Create a new case in TheHive based on that data.
- Run Cortex analyzers on relevant observables (e.g., IP, URL, etc.).
- Enrich with MISP (check or add to threat intel).
- Take response actions, such as:
- Notifying a team (via Slack/email),
- Creating a ticket,
- Or blocking indicators via API.