Listen to this Post
Introduction:
Security Operations Centers (SOCs) are drowning in alerts. A single brute-force attack alert can require up to 10 distinct manual actions: logging into the SIEM, extracting the source IP, opening a browser, querying VirusTotal, checking AbuseIPDB, cross-referencing geolocation, documenting findings, assessing severity, escalating to the right analyst, and updating the ticket. That’s 10 steps per alert—and SOCs receive hundreds daily. The HAXCAMP Brute-Force Attack Enrichment Workflow reduces this entire chain to a single automated pipeline using n8n, an open-source workflow automation platform that functions as a lightweight SOAR (Security Orchestration, Automation, and Response) engine. This article walks through building that workflow, integrating threat intelligence APIs, and implementing automated enrichment that transforms raw alerts into actionable intelligence in seconds.
Learning Objectives:
- Build a complete n8n workflow that automatically detects brute-force attack alerts, extracts suspicious source IP addresses, and enriches them with geolocation and threat intelligence data.
- Integrate multiple threat intelligence APIs—including AbuseIPDB, VirusTotal, and GreyNoise—into a single automated enrichment pipeline.
- Implement risk scoring logic and automated notification routing to reduce manual alert triage time from minutes to seconds.
1. Understanding the Brute-Force Enrichment Workflow Architecture
The HAXCAMP lab workflow follows a five-stage pipeline that transforms raw alert data into enriched, analyst-ready intelligence:
Stage 1: Alert Detection — The workflow ingests brute-force attack alerts from a SIEM (Splunk, Wazuh, or Elastic Security) via webhook. Alternatively, it can be triggered by a cron schedule that polls logs or by a manual trigger for testing.
Stage 2: IP Extraction — A Function node parses the incoming payload to extract the source IP address, username, timestamp, and affected host.
Stage 3: Threat Enrichment — The workflow branches into parallel HTTP Request nodes that query multiple threat intelligence APIs simultaneously, dramatically reducing execution time.
Stage 4: Risk Scoring — A Code node aggregates enrichment data, calculates a composite risk score, and classifies the threat severity (Low/Medium/High/Critical).
Stage 5: Notification & Response — The workflow routes enriched alerts to Slack, email, or ticketing systems (Jira, TheHive) and can optionally trigger automated blocking actions on firewalls or EDR platforms.
What this does: Replaces 10 minutes of manual investigation with 10 seconds of automated enrichment.
How to use it: Import the workflow JSON into n8n, configure API credentials, point your SIEM to the webhook URL, and activate the workflow.
2. Setting Up the n8n Environment
Before building the workflow, deploy n8n and configure the necessary credentials.
Linux Deployment (Docker):
Pull and run n8n with persistent storage docker run -d \ --1ame n8n \ -p 5678:5678 \ -v ~/.n8n:/home/node/.n8n \ -e N8N_SECURE_COOKIE=false \ -e WEBHOOK_URL=http://your-server:5678 \ n8nio/n8n Verify the container is running docker ps | grep n8n
Windows Deployment:
Download the n8n desktop application from the official website, or run via Docker Desktop with the same command above.
Environment Variables for Secrets:
Create a .env file with API keys VT_API_KEY=your_virustotal_api_key ABUSEIPDB_API_KEY=your_abuseipdb_api_key GREYNOISE_API_KEY=your_greynoise_api_key SLACK_WEBHOOK_URL=https://hooks.slack.com/services/xxx/yyy/zzz
Why this matters: Never hardcode API keys in workflow JSON. Use environment variables mapped to n8n Credentials for security.
- Building the Alert Ingestion & IP Extraction Layer
Step 1: Add a Webhook Trigger
Create a new workflow in n8n and add a Webhook node. Configure it to listen on a path (e.g., /brute-force-alert). This endpoint will receive POST requests from your SIEM when a brute-force attack is detected.
Sample Alert Payload (Splunk → n8n):
{
"source": "splunk",
"alertType": "brute_force",
"sourceIP": "203.0.113.45",
"destinationIP": "10.0.0.5",
"affectedHost": "web-server-01",
"affectedUser": "administrator",
"timestamp": "2026-06-20T14:30:00Z",
"rawLog": "Failed login attempt 50 times in 60 seconds",
"eventID": "4625"
}
Step 2: Extract IP with a Function Node
Add a Function node after the Webhook and use this JavaScript code to normalize the data:
const alert = $input.first().json;
const sourceIP = alert.sourceIP || alert.src_ip || alert.ip_address;
// Validate IP format (basic check)
const ipRegex = /^(25[0-5]|2[0-4][0-9]|[bash]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[bash]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[bash]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[bash]?[0-9][0-9]?)$/;
if (!ipRegex.test(sourceIP)) {
throw new Error('Invalid source IP address extracted');
}
return [{
json: {
sourceIP: sourceIP,
username: alert.affectedUser || alert.user,
host: alert.affectedHost || alert.host,
timestamp: alert.timestamp,
rawAlert: alert
}
}];
What this does: Parses varying SIEM payload formats, extracts the source IP, validates it, and passes clean data to the enrichment nodes.
4. Multi-Source Threat Intelligence Enrichment
This is the core of the HAXCAMP workflow. Add multiple HTTP Request nodes in parallel to query different threat intelligence APIs simultaneously.
AbuseIPDB Enrichment (IP reputation and abuse score):
- Method: GET
- URL: `https://api.abuseipdb.com/api/v2/check`
- Headers:
Key: {{$env.ABUSEIPDB_API_KEY}}, `Accept: application/json`
– Query Parameters:ipAddress={{$json.sourceIP}}, `maxAgeInDays=90`
– Response: Returns abuse confidence score (0-100), total reports, and categories.
VirusTotal Enrichment (malware detection and threat tags):
- Method: GET
- URL: `https://www.virustotal.com/api/v3/ip_addresses/{{$json.sourceIP}}`
- Headers: `x-apikey: {{$env.VT_API_KEY}}`
– Response: Returns detection stats, malicious verdicts, and associated domains.
GreyNoise Enrichment (internet noise classification):
- Method: GET
- URL: `https://api.greynoise.io/v3/community/{{$json.sourceIP}}`
- Headers: `key: {{$env.GREYNOISE_API_KEY}}`
– Response: Classifies IP as “noise” (scanning), “riot” (benign), or “unknown”.
Geolocation Enrichment (IP-API — free, no API key required):
- Method: GET
- URL: `http://ip-api.com/json/{{$json.sourceIP}}`
- Response: Returns country, region, city, ISP, and coordinates.
// Merge all enrichment results (Code node after parallel HTTP requests)
const abuseData = $input.all()[bash].json;
const vtData = $input.all()[bash].json;
const gnData = $input.all()[bash].json;
const geoData = $input.all()[bash].json;
const riskScore = calculateRisk(abuseData, vtData, gnData);
return [{
json: {
sourceIP: geoData.query,
country: geoData.country,
city: geoData.city,
abuseScore: abuseData.data?.abuseConfidenceScore || 0,
vtMalicious: vtData.data?.attributes?.last_analysis_stats?.malicious || 0,
gnClassification: gnData.classification || 'unknown',
riskScore: riskScore,
severity: riskScore > 80 ? 'CRITICAL' : riskScore > 60 ? 'HIGH' : riskScore > 30 ? 'MEDIUM' : 'LOW'
}
}];
5. Risk Scoring & Decision Logic
Implement a risk scoring algorithm that weights each intelligence source:
function calculateRisk(abuse, vt, gn) {
let score = 0;
// AbuseIPDB: 0-100 score directly maps
score += (abuse.data?.abuseConfidenceScore || 0) 0.4;
// VirusTotal: each malicious detection adds 15 points
const vtMalicious = vt.data?.attributes?.last_analysis_stats?.malicious || 0;
score += Math.min(vtMalicious 15, 40);
// GreyNoise: "malicious" classification adds 20 points
if (gn.classification === 'malicious') score += 20;
if (gn.classification === 'unknown') score += 10;
return Math.min(Math.round(score), 100);
}
Automated Decision Branching:
Add an IF node that routes the alert based on severity:
- Critical (80-100): Send to urgent Slack channel + create Jira incident + optionally trigger firewall block.
- High (60-79): Send to SOC team Slack + create ticket.
- Medium (30-59): Send to email digest for review.
- Low (0-29): Log to Google Sheets and archive.
6. Notification & Ticketing Integration
Slack Notification (HTTP Request node):
- Method: POST
- URL: `{{$env.SLACK_WEBHOOK_URL}}`
– Body (JSON):
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "🚨 Brute-Force Attack Enriched Alert"
}
},
{
"type": "section",
"fields": [
{"type": "mrkdwn", "text": "Source IP:\n{{$json.sourceIP}}"},
{"type": "mrkdwn", "text": "Country:\n{{$json.country}}"},
{"type": "mrkdwn", "text": "Abuse Score:\n{{$json.abuseScore}}/100"},
{"type": "mrkdwn", "text": "Severity:\n{{$json.severity}}"}
]
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "VirusTotal: {{$json.vtMalicious}} malicious detections\nGreyNoise: {{$json.gnClassification}}"
}
}
]
}
Jira Ticket Creation (HTTP Request node):
- Method: POST
- URL: `https://your-domain.atlassian.net/rest/api/2/issue`
- Headers:
Authorization: Basic {{base64_encode(email:api_token)}}, `Content-Type: application/json`
– Body: Create an issue with summary, description containing all enrichment data, and priority matching severity.
7. Hardening & Production Considerations
API Rate Limiting: Implement a Wait node or use an HTTP Request node with retry logic to respect API rate limits (e.g., VirusTotal allows 4 requests per minute for the free tier).
Error Handling: Wrap API calls in Error Trigger nodes that log failures to a separate channel and continue the workflow, preventing complete pipeline failure.
Credential Security: Store all API keys in n8n’s built-in credential system rather than environment variables for production deployments. n8n supports encrypted secret stores and RBAC permissions.
Logging & Audit: Add a Google Sheets node at the end of the workflow to log every enriched alert for compliance and audit purposes.
What Undercode Say:
- Key Takeaway 1: The HAXCAMP Brute-Force Attack Enrichment Workflow transforms a 10-step manual SOC process into a single automated pipeline, reducing alert triage time from minutes to seconds using n8n as a lightweight SOAR engine.
-
Key Takeaway 2: Multi-source threat intelligence enrichment—combining AbuseIPDB, VirusTotal, GreyNoise, and geolocation APIs—provides comprehensive attacker context that enables faster, more accurate incident response decisions.
Analysis: The most significant insight from this lab is that SOC automation isn’t just about moving data faster—it’s about adding a cognitive layer. Traditional SOAR playbooks automate mechanical steps (trigger fires, ticket opens, team gets pinged), but the cognitive work—looking up the IP, mapping the technique, assessing severity—remains manual. By integrating AI-powered enrichment and risk scoring, this workflow offloads that cognitive burden, delivering analyst-ready intelligence rather than raw data. The lab’s architecture reflects a broader industry shift toward AI-SOC automation, where LLMs reason about threat data and produce actionable summaries. For SOC teams drowning in alert fatigue, this approach isn’t just an efficiency gain—it’s a necessity.
Prediction:
- +1 The democratization of SOAR capabilities through open-source platforms like n8n will accelerate SOC automation adoption among mid-market organizations that cannot afford enterprise SOAR solutions.
-
+1 AI-powered enrichment layers will increasingly replace Tier 1 SOC analysts for initial alert triage, shifting human expertise toward threat hunting and complex incident response.
-
-1 The reliance on third-party threat intelligence APIs introduces supply chain risks—if an API goes down or changes its pricing model, the entire enrichment pipeline can fail.
-
-1 Attackers will adapt by leveraging IP rotation, VPNs, and botnets to evade reputation-based detection, necessitating behavioral analytics and machine learning-based anomaly detection as complementary layers.
-
+1 The integration of MITRE ATT&CK mapping into enrichment workflows will become standard, enabling automated technique attribution and playbook selection.
-
+1 Organizations that implement brute-force enrichment workflows will see measurable reductions in mean time to detect (MTTD) and mean time to respond (MTTR), with some reporting improvements of 70-90% for common attack types.
▶️ Related Video (76% Match):
https://www.youtube.com/watch?v=0kpE7xjgoHc
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: %F0%9D%97%95%F0%9D%97%BF%F0%9D%98%82%F0%9D%98%81%F0%9D%97%B2 %F0%9D%97%99%F0%9D%97%BC%F0%9D%97%BF%F0%9D%97%B0%F0%9D%97%B2 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
