Intermediate Pro

Splunk + n8n: Automated IP Encrichment

Automate IP Address Threat Intelligence and Incident Response using Splunk and n8n.

Self-Paced by Aman Gupta

Overview

This project demonstrates how to build a Security Orchestration, Automation, and Response (SOAR) workflow.

It starts with Splunk, which is configured to detect a potential brute-force attack by monitoring repeated failed SSH logins. When more than three failures from the same IP address are detected within a 24-hour window, Splunk triggers an alert.

This alert sends a webhook containing the attacker's IP to an n8n workflow. The n8n workflow then enriches this IP by querying two threat intelligence services: VirusTotal and AlienVault OTX.

After merging and processing the data, a risk status ("Safe" or "Suspicious") is determined. If an IP is deemed suspicious, an incident ticket is automatically created in ServiceNow , and notifications are sent via Slack and Gmail, complete with a detailed HTML report.

Security Note: Ensure your n8n webhook URL is not publicly exposed without authentication. All API keys and credentials should be stored securely within n8n's credential manager.

What You'll Learn

  • Splunk Alerting

    Create custom alerts in Splunk using Search Processing Language (SPL) to detect specific security event.

  • Webhook Integration

    Use Splunk webhooks to trigger external automation workflows in real-time.

  • API-based Enrichment

    Integrate with third-party security APIs like VirusTotal and AlienVault to enrich data.

  • Workflow Automation

    Build a multi-step automation workflow in n8n to process, analyze, and act on security data.

  • Automated Incident Response

    Automatically create incidents in ServiceNow and send multi-channel notifications via Slack and email.

About Trainer

Aman Gupta

Aman Gupta

Aman Gupta is an emerging voice in automation-driven cybersecurity, combining strong engineering skills with a passion for knowledge sharing. He has worked on advanced projects spanning security monitoring, intelligent alerting, process automation, and AI-powered decision systems. With experience bridging software engineering and modern DevSecOps practices, Aman focuses on simplifying complex technologies into practical, real-world applications.

LinkedIn Twitter GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.

Apache Web Server Log Monitoring using Wazuh
Pro Beginner

Apache Web Server Log Monitoring using Wazuh

Real-time detection of HTTP errors, brute-force and suspicious requests from Apache logs