SOC Automation Pipeline: n8n + Wazuh + Telegram Alerting

Problem

Manual alert triage was consuming the majority of analyst time on low-value, repetitive tasks: enriching IPs, creating tickets, sending notifications. This left insufficient time for meaningful investigation of high-fidelity alerts. We needed to automate the repetitive layer so analysts could focus on analysis.

Architecture

Wazuh Manager (Alert Generated)
    |
    v
Wazuh Webhook Integration
    |
    v
n8n Automation Platform
    |-- IP Reputation (VirusTotal + AbuseIPDB)
    |-- Asset Lookup (Internal CMDB)
    |-- Threat Intel Enrichment
    |-- JIRA Ticket Creation
    |-- Telegram Alert Notification
    |-- Severity-based Routing

Automation Workflows

Workflow 1: Alert Notification

// n8n Webhook payload from Wazuh
{
  "alert_level": 12,
  "rule_description": "Brute force attack detected",
  "agent_name": "DESKTOP-001",
  "src_ip": "203.0.113.45",
  "timestamp": "2025-06-01T14:30:00Z"
}

// Telegram message formatted:
[CRITICAL] Brute Force Detected
Host: DESKTOP-001
Source IP: 203.0.113.45
VT Score: 8/90 malicious
AbuseIPDB: High confidence malicious
Action Required: Investigate immediately

Results

• Mean time to notify: under 2 minutes (was 15-30 minutes manual)
• Analyst triage workload reduced by 60% through automated enrichment
• Zero missed critical alerts since deployment
• 100% of high-severity alerts auto-create JIRA tickets with pre-populated context