{ "name": "Analyze CrowdStrike detections - Search for IOCs in VirusTotal - Create a ticket in Jira, and post a message in Slack", "nodes": [ { "id": "bd1234f2-631c-457d-8423-cec422852bbc", "name": "Schedule Trigger", "type": "n8n-nodes-base.scheduleTrigger", "position": [ -880, 602 ] }, { "id": "b9f134cd-06de-49cd-83a2-19f705fd18c6", "name": "Split out detections", "type": "n8n-nodes-base.itemLists", "position": [ -440, 602 ] }, { "id": "8d1fc16d-bcbd-4ca2-ac2d-ea676cde4403", "name": "Get recent detections from Crowdstrike", "type": "n8n-nodes-base.httpRequest", "position": [ -660, 602 ] }, { "id": "bda81386-f301-44ac-ba91-2301ecdad6c3", "name": "Get detection details", "type": "n8n-nodes-base.httpRequest", "position": [ -220, 602 ] }, { "id": "ed6fe708-c67e-4cd1-800f-e13ab999c1c2", "name": "Split out behaviours", "type": "n8n-nodes-base.itemLists", "position": [ 280, 362 ] }, { "id": "4d6c708c-56c3-43b7-ae06-0078d917ebd5", "name": "Look up SHA in Virustotal", "type": "n8n-nodes-base.httpRequest", "position": [ 720, 362 ] }, { "id": "3e9f63a1-7a2a-43e3-998c-32eef23f8066", "name": "Look up IOC in Virustotal", "type": "n8n-nodes-base.httpRequest", "position": [ 940, 362 ] }, { "id": "4249e16a-e84b-4af8-98e7-8a771a9016f0", "name": "Split In Batches", "type": "n8n-nodes-base.splitInBatches", "position": [ 60, 602 ] }, { "id": "a6de25ad-195d-44a8-a8da-3ec14bfaec66", "name": "Merge behaviour descriptions", "type": "n8n-nodes-base.itemLists", "position": [ 1460, 360 ] }, { "id": "fdc43a7b-579b-44ea-841b-cfebf2447ab9", "name": "Set behaviour descriptions", "type": "n8n-nodes-base.set", "position": [ 1240, 360 ] }, { "id": "d11c8794-ca93-4916-87b2-86b87751d64e", "name": "Create Jira issue", "type": "n8n-nodes-base.jira", "position": [ 1680, 360 ] }, { "id": "ac44f600-31b3-418b-8f75-5c42094f2b5b", "name": "Post notification on Slack", "type": "n8n-nodes-base.slack", "position": [ 2080, 400 ] }, { "id": "2c5c81bd-096c-4613-aa85-e1c01eac484e", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -940, 200 ], "parameters": { "width": 907.2533697472911, "height": 622.2432296251139, "content": "![crowdstrike](https://i.imgur.com/bXWeemY.png)\n## Workflow Overview\nThis n8n workflow is a robust orchestration tool designed to streamline and automate the response to cybersecurity threats detected" } }, { "id": "34f3178a-f333-44ae-bb84-775748a40871", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ 456, 85.94250946457566 ], "parameters": { "width": 684.9176314093856, "height": 498.43309582729387, "content": "![VirusTotal](https://upload.wikimedia.org/wikipedia/commons/thumb/b/b7/VirusTotal_logo.svg/320px-VirusTotal_logo.svg.png)\n## Enrich each detection using VirusTotal\n\nEach detection is enhanced with ad" } }, { "id": "9b248ed5-0a9b-4737-a571-ce20340a48af", "name": "Pause 1 second", "type": "n8n-nodes-base.wait", "position": [ 500, 362 ] }, { "id": "854bbab6-b725-4a01-b179-1f1c944b7ea5", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 1180, 89.58126014061668 ], "parameters": { "width": 732.8033084720628, "height": 495.2133868905577, "content": "![Jira](https://i.imgur.com/Ko72Qxa.png)\n## Create a Jira Ticket:\nFor actionable response and tracking, the workflow creates a Jira ticket for each detection. The ticket includes detailed information " } }, { "id": "da8ca7ef-714f-42b1-a642-3165c479b5df", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 1940, 90.04831844240124 ], "parameters": { "width": 348.9781174689024, "height": 490.93784005768947, "content": "![Slack](https://i.imgur.com/iKyMV0N.png)\n## Post Notification in Slack\nTo ensure prompt attention, a notification is sent to a designated Slack channel with the severity level of the alert and a link" } }, { "id": "a10f5365-85bc-435d-9b56-1154987af962", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 0, -96.97284326663032 ], "parameters": { "width": 432.3140705656865, "height": 908.8964372010092, "content": "![n8n](https://i.imgur.com/lKnBNnH.png)\n## Iterate Through Detection Events\nThe \"`Split In Batches`\" node is configured with a batch size of one, ensuring that the array of detections from CrowdStrike" } } ], "connections": { "Pause 1 second": { "main": [ [ { "node": "Look up SHA in Virustotal", "type": "main", "index": 0 } ] ] }, "Schedule Trigger": { "main": [ [ { "node": "Get recent detections from Crowdstrike", "type": "main", "index": 0 } ] ] }, "Split In Batches": { "main": [ [ { "node": "Split out behaviours", "type": "main", "index": 0 } ] ] }, "Create Jira issue": { "main": [ [ { "node": "Post notification on Slack", "type": "main", "index": 0 } ] ] }, "Split out behaviours": { "main": [ [ { "node": "Pause 1 second", "type": "main", "index": 0 } ] ] }, "Split out detections": { "main": [ [ { "node": "Get detection details", "type": "main", "index": 0 } ] ] }, "Get detection details": { "main": [ [ { "node": "Split In Batches", "type": "main", "index": 0 } ] ] }, "Look up IOC in Virustotal": { "main": [ [ { "node": "Set behaviour descriptions", "type": "main", "index": 0 } ] ] }, "Look up SHA in Virustotal": { "main": [ [ { "node": "Look up IOC in Virustotal", "type": "main", "index": 0 } ] ] }, "Post notification on Slack": { "main": [ [ { "node": "Split In Batches", "type": "main", "index": 0 } ] ] }, "Set behaviour descriptions": { "main": [ [ { "node": "Merge behaviour descriptions", "type": "main", "index": 0 } ] ] }, "Merge behaviour descriptions": { "main": [ [ { "node": "Create Jira issue", "type": "main", "index": 0 } ] ] }, "Get recent detections from Crowdstrike": { "main": [ [ { "node": "Split out detections", "type": "main", "index": 0 } ] ] } } }