Workflow: Automating Firewall Port Scan Detection and Response

Questions
1

Hi somebody can please help me to setup this workflow on n8n

Objective:

Automate the detection of firewall port scan alerts in IBM QRadar and integrate VirusTotal checks with automatic ticket creation in Request Tracker (RT) using n8n.

Workflow Overview:

This workflow automates the following steps:

  1. Detect firewall port scan alerts in IBM QRadar.
  2. Verify the detected IP addresses against VirusTotal’s threat intelligence database.
  3. If flagged by VirusTotal, create a ticket in Request Tracker to initiate an investigation.

Steps:

  1. QRadar Alert Detection:
  • QRadar continuously monitors network traffic for suspicious activities, including firewall port scan attempts.
  • Once a port scan attempt is detected, an alert is triggered within QRadar. The alert contains the IP addresses involved in the scan.
  1. Trigger Workflow in n8n:
  • The QRadar alert triggers the workflow in n8n, passing the relevant data (IP addresses) for further processing.
  • n8n fetches the list of IP addresses from the QRadar alert.
  1. VirusTotal IP Lookup:
  • n8n integrates with the VirusTotal API.
  • For each detected IP address, n8n queries VirusTotal to check if the IP has been flagged for malicious activity or is associated with known threats.
  1. Conditional Check:
  • If the IP address is flagged by VirusTotal as malicious or suspicious, the workflow continues to the next step.
  • If the IP is not flagged, the workflow terminates here, with no further action required.
  1. Ticket Creation in Request Tracker:
  • For flagged IP addresses, n8n automatically creates a ticket in Request Tracker.
  • The ticket includes details of the QRadar alert, the flagged IPs, and the VirusTotal report.
  • The ticket is assigned to the appropriate security analyst for further investigation and remediation.
  1. Notification (Optional):
  • n8n can send a notification to the SecOps team (via email or chat) to inform them of the ticket creation and the suspicious activity detected.

Information on your n8n setup

  • **n8n version: 1.58.0
  • Database (default: SQLite): SQLIte
  • **n8n EXECUTIONS_PROCESS setting (default: own, main:own
  • Running n8n via : Docker
  • **OS:Ubuntu
1 Like
2

It looks like your topic is missing some important information. Could you provide the following if applicable.

  • n8n version:
  • Database (default: SQLite):
  • n8n EXECUTIONS_PROCESS setting (default: own, main):
  • Running n8n via (Docker, npm, n8n cloud, desktop app):
  • Operating system:
3
  • n8n version: 1.58.0
  • **Database (default: SQLite):SQLite
  • **n8n EXECUTIONS_PROCESS setting (default: own, main):own
  • **Running n8n via (Docker, npm, n8n cloud, desktop app):Docker
  • **Operating system:Linux
4

Hi @Preval_Jacquet_Gbaka

You can build your workflow using the following nodes:

  • Webhook or email trigger to receive alerts from QRadar (alternatively, if QRadar offers API access, use an HTTP request node to periodically check for new alerts)
  • another HTTP Request node to connect to the VirusTotal API
  • Code or Switch node to check if the IP is flagged as malicious or suspicious
  • If node to route workflow if IP flagged or not
  • use another HTTP Request node for your Request Tracker system
  • any email or chat node or similar to notify your SecOps team about the created ticket and threat detected

There’s many ways to build a workflow but the nodes mentioned above should give you a good starting point. You can find them in our docs:

Also feel free to check out our template collection for inspiration from what other people have built: Discover 800+ Automation Workflows from the n8n's Community

Have fun building and feel free to share your progress! :raised_hands:

5

Hello Ria, thank you for your answer,
sorry for the delay,

I have a concern about this answer.

“In QRadar, we have multiple use cases, but I want to focus on using the ‘firewall port scan’ use case for my playbook. I need to set it up so that when there are alerts related to this use case in QRadar, the system will automatically check the reputation of the involved IP addresses on VirusTotal. If any of the addresses are flagged, a ticket should be automatically created in Request Tracker for further processing.”

6

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.