09.SOAR N8N Workflow

Objective

This workflow will automatically:

Extract destination IP addresses from the Fluent Bit index in Elasticsearch.

Send each IP to VirusTotal for reputation analysis.

Filter malicious or suspicious IPs based on VirusTotal results.

Send an email alert containing only those IPs to the analyst (in this case, my own email address) with the required subject format:

bash GROUP#_Abdelwahab_Shandy

🧱 Pre-requisites

Before building the workflow, we configured the following:

1️⃣ VirusTotal API Key

Logged in to VirusTotal.
Navigated to User Profile → API Key.
Copied the key and stored it securely.
Used it later inside n8n’s HTTP Request (VirusTotal) node to authenticate API requests.

2️⃣ Elasticsearch API Credential

Created a new Credential in n8n:
Type: Elasticsearch API
Auth Method: Elasticsearch Account
Username: elastic
Password: (The one obtained during ELK setup)
Host URL: https://192.168.1.16:9200

This allows n8n to securely fetch logs directly from our ELK SIEM index.

3️⃣ Email App Password

Since Gmail no longer allows direct login with username & password, we:
Enabled 2-Step Verification on the Gmail account.
Generated an App Password via:\ Google Account → Security → App Passwords → Select App: Mail → Select Device: Other (Custom name: n8n) | link
Copied the 16-character password generated by Google.
Added it in n8n’s Email Credential settings (type: “Gmail SMTP”).
Host : smtp.gmail.com
Port : 465
Enable SSL/TLS
Client Host Name : localhost

This allows the workflow to send automated reports securely via Gmail.

⚡ Workflow Breakdown

Step 1 – Trigger the Workflow

Node: Manual Trigger\ The workflow starts manually from the n8n UI.

Step 2 – Retrieve Logs from Elasticsearch

Node: HTTP Request → Elasticsearch API
Method: POST
Endpoint:

bash https://192.168.1.16:9200/lab-abdelwahabshandy-fluentbit/_search
Body:

bash { "_source": ["DestinationIP"], "query": { "exists": { "field": "DestinationIP" } } }
Credential Used: Elasticsearch Account\ ✅ Purpose: Fetch all logs containing a Destination IP field.

Step 3 – Extract IPs

Node: Function
Extracts DestinationIP values from the logs.
Creates a clean list of IPs for further analysis.

Step 4 – Check IP Reputation

Node: HTTP Request → VirusTotal API
Method: GET
URL:

bash https://www.virustotal.com/api/v3/ip_addresses/{{ $json["DestinationIP"] }}
Header:

bash x-apikey: <your_virustotal_api_key>
Credential Used: None (direct API key header).\ ✅ Purpose: Query VirusTotal to check if the IP is malicious.

Step 5 – Filter Malicious IPs

Node: IF / Filter
Condition:

bash {{$json["data"]["attributes"]["last_analysis_stats"]["malicious"]}}

✅ Keeps only IPs flagged as malicious by VirusTotal.

Step 6 – Aggregate Malicious IPs

Node: Merge or Function Node
Collects all filtered malicious IPs into a single list.
Prepares them for reporting.

Step 7 – Send Email Report

Node: Email Send (Gmail)
From: (Your Gmail account configured with App Password)
To: (Your email or team address)
Subject:

bash GROUP1_ABDELWAHAB_SHANDY
Body Example:

```plaintext Malicious IPs Detected

The following suspicious IP addresses have been flagged: {{ $json.allMalicious.map(ip => "- " + ip.data.id).join("\n") }}

I hope I will do well in the exam. Abdelwahab Ahmed Abdelwahab Shandy ```

✅ Final Result

By the end of this workflow:

Logs are automatically retrieved from Elasticsearch.
IPs are analyzed in real-time via VirusTotal.
Malicious IPs are filtered and reported automatically to your inbox.

This completes the SOAR Integration, turning your SIEM into a proactive detection and response system.

This marks the completion of my full SOC Engineering Lab — a hands-on journey where I built a complete SIEM and SOAR environment from scratch. Seeing everything work together in real time was the best part — transforming logs into insights, and insights into automated actions.