Automate Wazuh Alert Triage and Reporting with GPT-4o-mini and Telegram

🚨Are alert storms overwhelming your Security Operations workflows?

This n8n workflow supercharges your SOC by fully automating triage, analysis, and notification for Wazuh alerts—blending event-driven automation, OpenAI-powered contextual analysis, and real-time collaboration for incident response.

🔑 Key Features:

✅ Automated Triage:

Instantly filters Wazuh alerts by severity to focus analyst effort on the signals that matter.

🤖 AI-Driven Investigation Reports:

Uses OpenAI's GPT-4o-mini to auto-generate context-rich incident reports, including:

• MITRE Tactic & Technique mapping
• Impacted scope (IP addresses, hostnames)
• External artifact reputation checks
• Actionable security recommendations
• Fully customizable prompt format aligned with your SOC playbooks

📡 Multi-Channel Notification

Delivers clean, actionable reports directly to your SOC team via Telegram. Easily extendable to Slack, Outlook, Gmail, Discord, or any other preferred channel.

🔇 Noise Reduction

Eliminates alert fatigue using smart filters and custom AI prompts that suppress false positives and highlight real threats.

🔧 Fully Customizable

Tweak severity thresholds, update prompt logic, or integrate additional data sources and channels — all with minimal effort

⚙️ How It Works

1. Webhook
   Listens for incoming Wazuh alerts in real time.

2. If Condition
   Filters based on severity (1 low, 2 medium, etc.) or other logic you define.

3. AI Investigation (LangChain + OpenAI)
   Summarizes full alert logs and context using custom prompts to generate:

   • Incident Overview
   • Key Indicators
   • Log Analysis
   • Threat Classification
   • Risk Assessment
   • Security Recommendations

4. Notification Delivery
   The report is parsed, cleaned, and sent to your SOC team in real-time, enabling rapid response — even during high-alert volumes.

5. No-Op Path
   Efficiently discards irrelevant alerts without breaking the flow.

🧠 Why n8n + AI?

Traditional alert triage is manual, slow, and error-prone — leading to analyst burnout and missed critical threats.

This workflow shows how combining workflow automation with a tailored AI model enables your SOC to shift from reactive to proactive. Analysts can now:

• Focus on critical investigations
• Respond to alerts faster
• Eliminate copy-paste fatigue
• Get instant contextual summaries

⚠️ Note: We learned that generic AI isn’t enough. Context-rich prompts and alignment with your actual SOC processes are key to meaningful, scalable automation.

🚀 Ready to build a smarter, less stressful SOC?

Clone this workflow, adapt it to your processes, and never miss a critical alert again.

📬 Contributions welcome!
Feel free to raise PRs, suggest new enhancements, or fork for your own use cases.

Created by Mariskarthick M
Senior Security Analyst | Detection Engineer | Threat Hunter | Open-Source Enthusiast