Automate Wazuh Alert Triage and Reporting with GP-40-mini and Telegram - n8n Workflow | Neura Market
Automate Wazuh Alert Triage and Reporting with GP-40-mini and Telegram
### Are alert storms overwhelming your Security Operations workflows?
This n8n workflow supercharges your SOC by fully automating triage, analysis, and notification for Wazuh alerts—blending event-driven automation, OpenAI-powered contextual analysis, and real-time collaboration for incident response.
### Key Features:
### Automated Triage:
Instantly filters Wazuh alerts by severity to focus analyst effort on the signals that matter.
### AI-Driven Investigation Reports:
Uses OpenAI's **GPT-4-mini** to auto-generate **context-rich incident reports**, including:
- MITRE tactic & technique mapping
- Impacted scope (IP addresses, hostnames)
- External artifact reputation checks
- Actionable security recommendations
- Fully customizable prompt format aligned with your SOC playbooks
### Multi-Channel Notification
Delivers clean, actionable reports directly to your **SOC team via Telegram**. Easily extendable to Slack, Outlook, Gmail, Discord, or any other preferred channel.
### Noise Reduction
Eliminates alert fatigue using **smart filters** and **custom AI prompts** that suppress false positives and highlight real threats.
### Fully Customizable
Tweak severity thresholds, update prompt logic, or integrate additional data sources and channels—all with minimal effort.
---
## How It Works
1. **Webhook** Listens for incoming Wazuh alerts in real-time.
2. **If Condition** Filters based on severity (`1 low`, `2 medium`, etc.) or other logic you define.
3. **AI Investigation (LangChain + OpenAI)** Summarizes full alert logs and context using custom prompts to generate:
- Incident Overview
- Key Indicators
- Log Analysis
- Threat Classification
- Risk Assessment
- Security Recommendations
4. **Notification Delivery** The report is parsed, cleaned, and sent to your SOC team in real-time, enabling rapid response—even during high-alert volumes.
5. **No-Op Path** Efficiently discards irrelevant alerts without breaking the flow.
---
## Why n8n + AI?
Traditional alert triage is **manual**, **slow**, and **error-prone**—leading to analyst burnout and missed critical threats.
This workflow shows how combining **workflow automation** with a **tailored AI model** enables your SOC to shift from **reactive** to **proactive**. Analysts can now:
- Focus on **critical investigations**
- Respond to alerts **faster**
- Eliminate **copy-paste fatigue**
- Get instant **contextual summaries**
> **Note:** We learned that generic AI isn't enough. Context-rich prompts and alignment with your actual SOC processes are key to meaningful, scalable automation.
---
## Ready to build a smarter, less stressful SOC?
Clone this workflow, adapt it to your processes, and never miss a critical alert again.
Contributions welcome! Feel free to raise PRs, suggest new enhancements, or fork for your own use cases.
---
**Created by [Mariskarthick M](https://www.linkedin.com/in/mariskarthickm/)** Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast
Platform
n8n
Category
IT & Development
Price
Free
Creator
mariskarthick
Github
if
noOp
webhook
telegram
lmChatOpenAi
chainSummarization
How to import this workflow into n8n
1Purchase or download the workflow to get the n8n workflow JSON file.
2In your n8n instance, open Workflows and choose "Import from File" (or paste the JSON with Ctrl+V on the canvas).
3Open each node marked with a credential warning and connect your own accounts and API keys.
4Run the workflow once manually to verify the data flow, then toggle it to Active.