---

Objective:

• Create an n8n Workflow that performs the following automated process:         

• Fetching security alerts (detections) from CrowdStrike EDR.             

• Converting the technical alerts into simple, understandable language using Artificial Intelligence (AI).             

• Sending personalized awareness emails to users explaining the error and how to avoid it.

---

1️⃣ Pre-requisites

Before building the workflow, we configured the following:

1. Installing and Running n8n (Docker / WSL):

• First thing is installing N8N    

• Direct steps | link

2. Adding the Generative Language API (Gemini) and connecting it to n8n:

• Connecting n8n to the Gemini API (from Google Cloud)

• I went to: APIs & Services => Library

• And then searched for gemini api

• And then made it Enable.

• And then clicked on Create Credential:

• Choosing the Credential type:

• And then: What data will you be accessing :

  • Application data

• And then Next:

• Service account name: n8n-gemini-ai-agent

• Service account ID: Created automatically

• Service account description: Used for connecting n8n workflows to Gemini API

• Then Create and Continue

• Permissions:

• I looked through them but will leave them as they are for now; if I need to change something, I will come back to it, and the next step too, because it says (options) next to them.

• Then I went to APIs & Services => Credentials

• Clicked on Service Accounts: Service account details: n8n-gemini-ai-agent

• And then Keys:

• Add Keys => Json (Recommended) => Create

• Then, to add the dedicated AI Agent for Gemini in n8n:

• To configure this credential, you'll need:

  • The API Host URL: Both PaLM and Gemini use the default https://generativelanguage.googleapis.com.

• An API Key: Create a key in Google AI Studio:

• Of course, the API Key we created above, I'll Copy it, and add it in the API Key

• And that's it, we are ready:

3. Creating a Gmail App Password for sending emails:

• Since Gmail no longer allows direct login with username & password, we:         

• Enabled 2-Step Verification on the Gmail account.             

• Generated an App Password via:  Google Account → Security → App Passwords → Select App: Mail → Select Device: Other (Custom name: n8n)| link        

• Copied the 16-character password generated by Google.             

• Added it in n8n’s Email Credential settings (type: “Gmail SMTP”).    

• Host: smtp.gmail.com         

• Port: 465     

• Enable SSL/TLS     

• Client Host Name: localhost

This allows the workflow to send automated reports securely via Gmail.

4. Setting up CrowdStrike API credentials:

• URL: your_URL

• Client ID: your_Client_ID

• Client Secret : Your_Client_Secret

• Allowed HTTP Request Domains: ALL

That's all set; we have almost added everything we need. Now, let's start the Workflow.

---

2️⃣ Workflow Breakdown

Step 1: Scheduled Trigger

The purpose is for the Workflow to run automatically every 10 minutes.

• Node: Cron     

• Settings:

Mode: Every X Minutes 
Every: 10

✅ The workflow will now automatically start running every 10 minutes without your intervention.

---

Step 2: CrowdStrike API Setup (Fetch Alert IDs)

• The second Node will be: CrowdStrike HTTP Request         

• This will connect to the CrowdStrike API.

• Settings:

• HTTP Method : GET

• URL : https:your_URL/alerts/queries/alerts/v2

• Execute step :

Add Filter : product:’epp’ + timestamp: >= ’now-18d’

• Enable : Send Query Parameters :

• Specify Query Parameters : Using Fields Below

• Query Parameters :

• Name : filter

• Value :

product:'epp'+timestamp:>='now-18d'

• Purpose: Fetch a list of Alert IDs.

---

Step 3: Split Alerts

• Node: Split In Batches / Split Out Items :

Goal: Split the JSON so that each Alert becomes an independent item to be handled easily later.

---

Step 4: CrowdStrike API – Alert Details

• Method : POST

• Credential for CrowdStrike : CrowdStrike API

• URL : https://api.us-2.crowdstrike.com/alerts/entities/alerts/v2

• Send Body :

• Json

• Using Json :

{
  "composite_ids": ["{{$json["resources"]}}"]
}

Purpose: Get the details of each Alert using the IDs.

---

Step 5: AI Conversion – Google Gemini

• Node: Generative Language API

• Credential: Gemini API

• Resource : Text

• Operation : massage a Model

• Model : models/gemini-2-5.pro

• Prompt :

You are a Cybersecurity Awareness Assistant.
Write a short, friendly, and easy-to-understand email to the employee about the next CrowdStrike alert.
{{ JSON.stringify($json, null, 2) }}
Explain in clear, human language what happened and how they can avoid it next time.
The person reading this message will be a layperson with little to no technical expertise.
Reply to me with the text of the person's response or conversation, without a subject line, and provide the HTML version of your reply.

Sends the alert details to the AI Agent (Google Gemini) to generate a clear and friendly email text that explains to the non-technical employee what happened and how to avoid the issue.

---

Step 6: Send Email

• Node: SMTP / Gmail

• Credential: Gmail App Password

• From: youremail

• To: send to email

• Subject: soartask Abdelwahab Shandy

• Body:

{{$json["content"]["parts"][0]["text"].match(/<html[\s\S]*<\/html>/)[0]}}

To extract the HTML version of the response text received from Gemini.

• I already did a test with my own email :

• And the second one :

• Goal: Send the clear email to the employee without repeating emails.

The same email was sent to the specific email: AnyEmail

---

Resources :

• https://docs.n8n.io/integrations/builtin/credentials/googleai/