n8n Automation: Complete Guide to Building 200+ Workflow Templates#

Introduction#

n8n is a powerful, open-source workflow automation platform that combines traditional automation with modern AI capabilities. With over 400+ integrations and a visual workflow builder, n8n enables you to create sophisticated automations without extensive coding knowledge.

Why n8n Stands Out#

🌐 Self-Hosted: Complete data control and privacy
🔌 400+ Integrations: Connect virtually any service
🤖 AI-Native: Built-in AI capabilities with LLMs
🎨 Visual Workflow Builder: Intuitive drag-and-drop interface
💻 Code When Needed: JavaScript/Python support for complex logic
🔄 Real-time Execution: Instant workflow testing
📊 Advanced Data Processing: Transform and manipulate data easily
🚀 Scalable: From personal automation to enterprise workflows

Architecture Overview#

1
graph TB
2
    subgraph "n8n Workflow Architecture"
3
        T[Triggers] --> WE[Workflow Engine]
4
        WE --> N1[Node 1: Data Fetch]
5
        N1 --> N2[Node 2: AI Processing]
6
        N2 --> N3[Node 3: Transform]
7
        N3 --> N4[Node 4: Output]
8

9
        subgraph "Integrations"
10
            N1 --> API[APIs]
11
            N1 --> DB[Databases]
12
            N2 --> LLM[LLMs]
13
            N4 --> APPS[Apps]
14
        end
15

16
        subgraph "AI Stack"
17
            LLM --> GPT[GPT-4]
18
            LLM --> Claude[Claude 3]
19
            LLM --> HF[Hugging Face]
20
        end
21
    end

Core Concepts#

1. Nodes#

Building blocks of workflows that perform specific actions:

Trigger Nodes: Start workflows (webhooks, schedules, events)
Action Nodes: Perform operations (API calls, data processing)
Logic Nodes: Control flow (if/else, loops, merge)
AI Nodes: AI operations (chat, embeddings, vector stores)

2. Connections#

Data flows between nodes through connections, carrying:

JSON data structures
Binary data (files, images)
Error information
Execution metadata

3. Expressions#

Dynamic data access using JavaScript expressions:

1
// Access previous node data
2
{{ $json.customerName }}
3

4
// Transform data
5
{{ $json.price * 1.2 }}
6

7
// Complex logic
8
{{ $json.status === 'active' ? 'Process' : 'Skip' }}

Real-World Implementation: E-Commerce Order Processing#

Let’s build a complete e-commerce automation workflow:

Workflow Components#

1
name: E-Commerce Order Automation
2
trigger: Webhook (Shopify/WooCommerce)
3
nodes:
4
  - Order Validation
5
  - Inventory Check
6
  - Payment Processing
7
  - AI Customer Categorization
8
  - Email Notification
9
  - Shipping Integration
10
  - Analytics Update

Step-by-Step Implementation#

1. Webhook Trigger Setup#

1
{
2
  "webhook": {
3
    "path": "/orders/new",
4
    "method": "POST",
5
    "authentication": "Bearer Token"
6
  }
7
}

2. Order Validation Node#

1
// Custom JavaScript code in n8n
2
const order = $input.all()[0].json;
3

4
// Validate required fields
5
const requiredFields = ['email', 'items', 'shipping_address'];
6
const missingFields = requiredFields.filter(field => !order[field]);
7

8
if (missingFields.length > 0) {
9
  throw new Error(`Missing fields: ${missingFields.join(', ')}`);
10
}
11

12
// Validate items
13
const invalidItems = order.items.filter(item =>
14
  !item.sku || !item.quantity || item.quantity <= 0
15
);
16

17
if (invalidItems.length > 0) {
18
  throw new Error('Invalid items in order');
19
}
20

21
return {
22
  json: {
23
    ...order,
24
    validated: true,
25
    validatedAt: new Date().toISOString()
26
  }
27
};

3. AI Customer Categorization#

1
// Using GPT-4 to categorize customer
2
const prompt = `
3
Analyze this customer order and categorize them:
4
- Order Value: $${order.total}
5
- Items: ${order.items.length}
6
- Previous Orders: ${order.customerHistory.orderCount}
7
- Total Spent: $${order.customerHistory.totalSpent}
8

9
Categories: VIP, Regular, New, At-Risk
10
Provide reasoning and recommendations.
11
`;
12

13
// AI node configuration
14
{
15
  "model": "gpt-4",
16
  "temperature": 0.3,
17
  "maxTokens": 200
18
}

4. Dynamic Email Template#

1
<!-- Personalized email based on AI categorization -->
2
<html>
3
  <body>
4
    <h2>{{ $json.category === 'VIP' ? 'Thank you for being a valued customer!' : 'Thank you for your order!' }}</h2>
5

6
    <p>Hi {{ $json.customerName }},</p>
7

8
    <p>Your order #{{ $json.orderId }} has been confirmed.</p>
9

10
    {{ $json.category === 'VIP' ? '<p>As a VIP customer, enjoy free express shipping!</p>' : '' }}
11

12
    <h3>Order Details:</h3>
13
    <ul>
14
      {{ $json.items.map(item => `<li>${item.name} - Qty: ${item.quantity}</li>`).join('') }}
15
    </ul>
16

17
    <p>Total: ${{ $json.total }}</p>
18

19
    {{ $json.aiRecommendations ? `<h3>Recommended for you:</h3><p>${$json.aiRecommendations}</p>` : '' }}
20
  </body>
21
</html>

Advanced Patterns#

1. Error Handling & Retry Logic#

1
// Error handler node
2
try {
3
  // Main workflow logic
4
  const result = await processOrder($json);
5
  return { json: result };
6
} catch (error) {
7
  // Log to monitoring system
8
  await logError({
9
    workflow: 'order-processing',
10
    error: error.message,
11
    orderData: $json,
12
    timestamp: new Date()
13
  });
14

15
  // Retry logic
16
  if ($json.retryCount < 3) {
17
    return {
18
      json: {
19
        ...$json,
20
        retryCount: ($json.retryCount || 0) + 1,
21
        retry: true
22
      }
23
    };
24
  }
25

26
  // Send to dead letter queue
27
  throw error;
28
}

2. Parallel Processing#

1
Split Node:
2
  - Branch 1: Update Inventory
3
  - Branch 2: Process Payment
4
  - Branch 3: Generate Invoice
5
  - Branch 4: Notify Warehouse
6

7
Merge Node:
8
  - Wait for all branches
9
  - Combine results
10
  - Continue workflow

3. Conditional Routing#

1
// Router node logic
2
const routingRules = {
3
  'high-value': order => order.total > 1000,
4
  'international': order => order.shipping.country !== 'US',
5
  'express': order => order.shipping.type === 'express',
6
  'subscription': order => order.type === 'subscription'
7
};
8

9
const routes = Object.entries(routingRules)
10
  .filter(([key, rule]) => rule($json))
11
  .map(([key]) => key);
12

13
return {
14
  json: {
15
    ...$json,
16
    routes,
17
    primaryRoute: routes[0] || 'standard'
18
  }
19
};

Integration Examples#

1. CRM Integration (Salesforce/HubSpot)#

1
// Update customer record in CRM
2
const crmUpdate = {
3
  customerId: $json.customerId,
4
  lastOrderDate: new Date(),
5
  totalOrders: $json.customerHistory.orderCount + 1,
6
  lifetimeValue: $json.customerHistory.totalSpent + $json.total,
7
  category: $json.aiCategory,
8
  tags: ['active', $json.category.toLowerCase()],
9
  customFields: {
10
    preferredProducts: $json.frequentlyBought,
11
    communicationPreference: $json.emailPreference
12
  }
13
};

2. Analytics Pipeline#

1
// Send to data warehouse
2
const analyticsEvent = {
3
  eventType: 'order.completed',
4
  timestamp: Date.now(),
5
  userId: $json.customerId,
6
  properties: {
7
    orderId: $json.orderId,
8
    revenue: $json.total,
9
    products: $json.items.map(i => i.sku),
10
    category: $json.aiCategory,
11
    channel: $json.source,
12
    campaign: $json.utmParams
13
  },
14
  context: {
15
    ip: $json.ipAddress,
16
    userAgent: $json.userAgent,
17
    sessionId: $json.sessionId
18
  }
19
};
20

21
// Send to multiple analytics platforms
22
// Google Analytics, Mixpanel, Segment, etc.

3. Inventory Management#

1
// Real-time inventory update
2
const inventoryUpdates = $json.items.map(item => ({
3
  sku: item.sku,
4
  quantity: -item.quantity,
5
  warehouse: determineWarehouse($json.shipping.address),
6
  reservationId: $json.orderId,
7
  timestamp: new Date()
8
}));
9

10
// Check for low stock alerts
11
const lowStockItems = inventoryUpdates.filter(update => {
12
  const currentStock = getInventoryLevel(update.sku);
13
  return (currentStock + update.quantity) < REORDER_THRESHOLD;
14
});
15

16
if (lowStockItems.length > 0) {
17
  // Trigger reorder workflow
18
  return {
19
    json: {
20
      triggerReorder: true,
21
      items: lowStockItems
22
    }
23
  };
24
}

Performance Optimization#

1. Batch Processing#

1
// Batch multiple operations
2
const BATCH_SIZE = 100;
3
const items = $input.all();
4
const batches = [];
5

6
for (let i = 0; i < items.length; i += BATCH_SIZE) {
7
  batches.push(items.slice(i, i + BATCH_SIZE));
8
}
9

10
// Process batches in parallel
11
const results = await Promise.all(
12
  batches.map(batch => processBatch(batch))
13
);
14

15
return results.flat();

2. Caching Strategy#

1
// Implement caching for expensive operations
2
const cacheKey = `product_${$json.productId}`;
3
let productData = await getFromCache(cacheKey);
4

5
if (!productData) {
6
  productData = await fetchProductData($json.productId);
7
  await setCache(cacheKey, productData, 3600); // 1 hour TTL
8
}
9

10
return { json: productData };

3. Rate Limiting#

1
// Respect API rate limits
2
const RATE_LIMIT = 10; // requests per second
3
const delay = 1000 / RATE_LIMIT;
4

5
for (const item of $input.all()) {
6
  await processItem(item);
7
  await new Promise(resolve => setTimeout(resolve, delay));
8
}

Monitoring & Observability#

1. Workflow Metrics#

1
// Track workflow performance
2
const metrics = {
3
  workflowId: $workflow.id,
4
  executionId: $execution.id,
5
  startTime: $workflow.startTime,
6
  duration: Date.now() - $workflow.startTime,
7
  nodesExecuted: $workflow.nodesExecuted,
8
  status: 'success',
9
  itemsProcessed: $input.all().length
10
};
11

12
// Send to monitoring system
13
await sendToDatadog(metrics);

2. Error Tracking#

1
// Comprehensive error logging
2
const errorLog = {
3
  error: {
4
    message: error.message,
5
    stack: error.stack,
6
    code: error.code
7
  },
8
  workflow: {
9
    id: $workflow.id,
10
    name: $workflow.name,
11
    node: $node.name
12
  },
13
  input: $json,
14
  environment: $env.NODE_ENV,
15
  timestamp: new Date().toISOString()
16
};
17

18
// Send to error tracking service
19
await sendToSentry(errorLog);

Security Best Practices#

1. Credential Management#

1
// Use n8n's built-in credential system
2
// Never hardcode sensitive data
3
const apiKey = $credential.apiKey;
4
const dbConnection = $credential.database;

2. Input Validation#

1
// Sanitize and validate all inputs
2
const sanitizeInput = (input) => {
3
  // Remove potential SQL injection attempts
4
  const cleaned = input.replace(/[;'"\\]/g, '');
5

6
  // Validate against schema
7
  const schema = {
8
    type: 'object',
9
    properties: {
10
      email: { type: 'string', format: 'email' },
11
      amount: { type: 'number', minimum: 0 }
12
    },
13
    required: ['email', 'amount']
14
  };
15

16
  if (!validateSchema(cleaned, schema)) {
17
    throw new Error('Invalid input');
18
  }
19

20
  return cleaned;
21
};

3. Rate Limiting & Throttling#

1
// Implement rate limiting for webhooks
2
const rateLimiter = {
3
  windowMs: 60000, // 1 minute
4
  maxRequests: 100,
5
  identifier: $json.clientId || $json.ipAddress
6
};
7

8
if (!checkRateLimit(rateLimiter)) {
9
  throw new Error('Rate limit exceeded');
10
}

Deployment Strategies#

1. Docker Deployment#

1
# n8n with custom nodes
2
FROM n8nio/n8n:latest
3

4
# Install custom dependencies
5
RUN npm install custom-node-package
6

7
# Copy custom nodes
8
COPY ./custom-nodes /home/node/packages/nodes
9

10
# Environment configuration
11
ENV N8N_BASIC_AUTH_ACTIVE=true
12
ENV N8N_METRICS=true
13
ENV N8N_LOG_LEVEL=info
14

15
EXPOSE 5678

2. Kubernetes Deployment#

1
apiVersion: apps/v1
2
kind: Deployment
3
metadata:
4
  name: n8n-deployment
5
spec:
6
  replicas: 3
7
  selector:
8
    matchLabels:
9
      app: n8n
10
  template:
11
    metadata:
12
      labels:
13
        app: n8n
14
    spec:
15
      containers:
16
      - name: n8n
17
        image: n8nio/n8n:latest
18
        ports:
19
        - containerPort: 5678
20
        env:
21
        - name: N8N_WEBHOOK_URL
22
          value: "https://n8n.example.com"
23
        - name: DB_TYPE
24
          value: "postgresdb"
25
        volumeMounts:
26
        - name: n8n-data
27
          mountPath: /home/node/.n8n
28
      volumes:
29
      - name: n8n-data
30
        persistentVolumeClaim:
31
          claimName: n8n-pvc

Security Automation with MCP Integration#

n8n’s powerful workflow capabilities extend beautifully into security automation when integrated with Model Context Protocol (MCP) servers. This section demonstrates how to build AI-powered security operations using n8n workflows with Wazuh MCP Server integration.

What is MCP in Security Context?#

Model Context Protocol (MCP) enables natural language interactions with security tools. The Wazuh MCP Server bridges traditional SIEM capabilities with modern AI, allowing security workflows to be orchestrated through n8n with intelligent automation.

1
graph TB
2
    subgraph "n8n Security Automation Architecture"
3
        T[Security Triggers] --> N8N[n8n Workflow Engine]
4
        N8N --> MCP[Wazuh MCP Server]
5
        MCP --> W[Wazuh SIEM]
6
        MCP --> AI[AI/LLM Analysis]
7

8
        subgraph "Security Outputs"
9
            N8N --> ALERT[Alert Management]
10
            N8N --> RESP[Incident Response]
11
            N8N --> REP[Compliance Reports]
12
            N8N --> COMM[Communications]
13
        end
14

15
        subgraph "Integrations"
16
            N8N --> SLACK[Slack/Teams]
17
            N8N --> TICK[Ticketing Systems]
18
            N8N --> EMAIL[Email/SMS]
19
            N8N --> SOAR[SOAR Platforms]
20
        end
21
    end

Setting Up n8n with Wazuh MCP Server#

1. Custom MCP Node for n8n#

Create a custom n8n node to interact with Wazuh MCP Server:

1
import { IExecuteFunctions } from 'n8n-workflow';
2
import {
3
    INodeExecutionData,
4
    INodeType,
5
    INodeTypeDescription,
6
    IDataObject,
7
} from 'n8n-workflow';
8

9
export class WazuhMCP implements INodeType {
10
    description: INodeTypeDescription = {
11
        displayName: 'Wazuh MCP',
12
        name: 'wazuhMcp',
13
        group: ['security'],
14
        version: 1,
15
        description: 'Interact with Wazuh via MCP Server',
16
        defaults: {
17
            name: 'Wazuh MCP',
18
        },
19
        inputs: ['main'],
20
        outputs: ['main'],
21
        credentials: [
22
            {
23
                name: 'wazuhMcpApi',
24
                required: true,
25
            },
26
        ],
27
        properties: [
28
            {
29
                displayName: 'Operation',
30
                name: 'operation',
31
                type: 'options',
32
                options: [
33
                    {
34
                        name: 'Query with AI',
35
                        value: 'query',
36
                        description: 'Send natural language query to Wazuh via AI',
37
                    },
38
                    {
39
                        name: 'Get Agents',
40
                        value: 'getAgents',
41
                        description: 'Get list of Wazuh agents',
42
                    },
43
                    {
44
                        name: 'Analyze Threat',
45
                        value: 'analyzeThreat',
46
                        description: 'Analyze threat with AI assistance',
47
                    },
48
                    {
49
                        name: 'Generate Report',
50
                        value: 'generateReport',
51
                        description: 'Generate security report',
52
                    },
53
                ],
54
                default: 'query',
55
            },
56
            {
57
                displayName: 'Query',
58
                name: 'query',
59
                type: 'string',
60
                default: '',
61
                placeholder: 'Find all agents with suspicious activity',
62
                description: 'Natural language query for Wazuh',
63
                displayOptions: {
64
                    show: {
65
                        operation: ['query'],
66
                    },
67
                },
68
            },
69
            {
70
                displayName: 'Agent Filter',
71
                name: 'agentFilter',
72
                type: 'string',
73
                default: '',
74
                placeholder: 'status:active',
75
                description: 'Filter criteria for agents',
76
                displayOptions: {
77
                    show: {
78
                        operation: ['getAgents'],
79
                    },
80
                },
81
            },
82
        ],
83
    };
84

85
    async execute(this: IExecuteFunctions): Promise<INodeExecutionData[][]> {
86
        const items = this.getInputData();
87
        const returnData: IDataObject[] = [];
88

89
        for (let i = 0; i < items.length; i++) {
90
            const operation = this.getNodeParameter('operation', i) as string;
91
            const credentials = await this.getCredentials('wazuhMcpApi', i);
92

93
            let responseData: IDataObject = {};
94

95
            switch (operation) {
96
                case 'query':
97
                    const query = this.getNodeParameter('query', i) as string;
98
                    responseData = await this.queryWazuhMCP(credentials, query);
99
                    break;
100

101
                case 'getAgents':
102
                    const filter = this.getNodeParameter('agentFilter', i) as string;
103
                    responseData = await this.getAgents(credentials, filter);
104
                    break;
105

106
                case 'analyzeThreat':
107
                    const alertData = items[i].json;
108
                    responseData = await this.analyzeThreat(credentials, alertData);
109
                    break;
110

111
                default:
112
                    throw new Error(`Unknown operation: ${operation}`);
113
            }
114

115
            returnData.push(responseData);
116
        }
117

118
        return [this.helpers.returnJsonArray(returnData)];
119
    }
120

121
    private async queryWazuhMCP(credentials: IDataObject, query: string) {
122
        // Implementation for MCP query
123
        const response = await this.helpers.httpRequest({
124
            method: 'POST',
125
            url: `${credentials.url}/ai/query`,
126
            body: { query },
127
            headers: {
128
                'Authorization': `Bearer ${credentials.token}`,
129
                'Content-Type': 'application/json',
130
            },
131
        });
132

133
        return response;
134
    }
135

136
    private async getAgents(credentials: IDataObject, filter: string) {
137
        // Implementation for getting agents
138
        const response = await this.helpers.httpRequest({
139
            method: 'POST',
140
            url: `${credentials.url}/agents/list`,
141
            body: { filter },
142
            headers: {
143
                'Authorization': `Bearer ${credentials.token}`,
144
                'Content-Type': 'application/json',
145
            },
146
        });
147

148
        return response;
149
    }
150

151
    private async analyzeThreat(credentials: IDataObject, alertData: IDataObject) {
152
        // Implementation for threat analysis
153
        const response = await this.helpers.httpRequest({
154
            method: 'POST',
155
            url: `${credentials.url}/threats/analyze`,
156
            body: { alert: alertData },
157
            headers: {
158
                'Authorization': `Bearer ${credentials.token}`,
159
                'Content-Type': 'application/json',
160
            },
161
        });
162

163
        return response;
164
    }
165
}

Real-World Security Automation Workflows#

1. Intelligent Alert Triage Workflow#

1
{
2
  "name": "Intelligent Alert Triage",
3
  "nodes": [
4
    {
5
      "name": "Webhook Alert",
6
      "type": "n8n-nodes-base.webhook",
7
      "parameters": {
8
        "path": "/security/alert",
9
        "httpMethod": "POST"
10
      }
11
    },
12
    {
13
      "name": "Wazuh MCP Analysis",
14
      "type": "wazuhMcp",
15
      "parameters": {
16
        "operation": "analyzeThreat",
17
        "query": "Analyze this security alert and provide:\n1. Threat severity (1-10)\n2. MITRE ATT&CK classification\n3. Affected systems\n4. Recommended response actions\n5. Similar historical incidents"
18
      }
19
    },
20
    {
21
      "name": "Priority Router",
22
      "type": "n8n-nodes-base.if",
23
      "parameters": {
24
        "conditions": {
25
          "number": [
26
            {
27
              "value1": "={{ $json.severity }}",
28
              "operation": "larger",
29
              "value2": 7
30
            }
31
          ]
32
        }
33
      }
34
    },
35
    {
36
      "name": "Critical Alert Handler",
37
      "type": "n8n-nodes-base.function",
38
      "parameters": {
39
        "functionCode": "// Handle critical alerts\nconst alert = $input.all()[0].json;\n\n// Create incident ticket\nconst incident = {\n  title: `CRITICAL: ${alert.rule.description}`,\n  description: `AI Analysis: ${alert.aiAnalysis.summary}`,\n  priority: 'P1',\n  assignee: 'security-team',\n  labels: ['security', 'critical', alert.aiAnalysis.category]\n};\n\n// Escalate to management\nconst escalation = {\n  recipients: ['ciso@company.com', 'security-lead@company.com'],\n  subject: `Security Incident - ${alert.rule.description}`,\n  urgency: 'high'\n};\n\nreturn [{\n  json: {\n    alert,\n    incident,\n    escalation,\n    actions: ['create_ticket', 'notify_management', 'isolate_agent']\n  }\n}];"
40
      }
41
    },
42
    {
43
      "name": "Standard Alert Handler",
44
      "type": "n8n-nodes-base.function",
45
      "parameters": {
46
        "functionCode": "// Handle standard alerts\nconst alert = $input.all()[0].json;\n\n// Create standard ticket\nconst ticket = {\n  title: alert.rule.description,\n  description: `AI Analysis: ${alert.aiAnalysis.summary}`,\n  priority: alert.aiAnalysis.severity > 5 ? 'P2' : 'P3',\n  assignee: 'security-analyst',\n  labels: ['security', alert.aiAnalysis.category]\n};\n\nreturn [{\n  json: {\n    alert,\n    ticket,\n    actions: ['create_ticket', 'add_to_queue']\n  }\n}];"
47
      }
48
    }
49
  ]
50
}

2. Automated Incident Response Workflow#

1
{
2
  "name": "Automated Incident Response",
3
  "nodes": [
4
    {
5
      "name": "Critical Alert Trigger",
6
      "type": "n8n-nodes-base.webhook"
7
    },
8
    {
9
      "name": "AI Incident Analysis",
10
      "type": "wazuhMcp",
11
      "parameters": {
12
        "operation": "query",
13
        "query": "Perform comprehensive incident response analysis:\n1. Identify attack vector and timeline\n2. Map affected systems and data\n3. Assess lateral movement risk\n4. Generate containment strategy\n5. Create forensic preservation plan"
14
      }
15
    },
16
    {
17
      "name": "Auto-Containment Check",
18
      "type": "n8n-nodes-base.if",
19
      "parameters": {
20
        "conditions": {
21
          "boolean": [
22
            {
23
              "value1": "={{ $json.autoContainmentRecommended }}",
24
              "value2": true
25
            }
26
          ]
27
        }
28
      }
29
    },
30
    {
31
      "name": "Execute Containment",
32
      "type": "n8n-nodes-base.function",
33
      "parameters": {
34
        "functionCode": "// Execute automated containment\nconst incident = $input.all()[0].json;\n\nconst containmentActions = [];\n\n// Isolate affected agents\nif (incident.affectedAgents) {\n  for (const agent of incident.affectedAgents) {\n    containmentActions.push({\n      action: 'isolate_agent',\n      target: agent.id,\n      reason: 'Automated incident response'\n    });\n  }\n}\n\n// Block malicious IPs\nif (incident.maliciousIPs) {\n  for (const ip of incident.maliciousIPs) {\n    containmentActions.push({\n      action: 'block_ip',\n      target: ip,\n      duration: '24h'\n    });\n  }\n}\n\n// Kill malicious processes\nif (incident.maliciousProcesses) {\n  for (const process of incident.maliciousProcesses) {\n    containmentActions.push({\n      action: 'terminate_process',\n      agent: process.agent,\n      pid: process.pid\n    });\n  }\n}\n\nreturn [{\n  json: {\n    incident,\n    containmentActions,\n    timestamp: new Date().toISOString()\n  }\n}];"
35
      }
36
    },
37
    {
38
      "name": "Notify War Room",
39
      "type": "n8n-nodes-base.slack",
40
      "parameters": {
41
        "channel": "#security-war-room",
42
        "text": "🚨 SECURITY INCIDENT - Automated Response Initiated\\n\\n*Incident:* {{ $json.incident.summary }}\\n*Severity:* {{ $json.incident.severity }}/10\\n*Affected Systems:* {{ $json.incident.affectedAgents.length }}\\n*Containment Actions:* {{ $json.containmentActions.length }}\\n\\n*AI Analysis:*\\n{{ $json.incident.aiAnalysis }}\\n\\n*Next Steps:*\\n• War room activation\\n• Forensic investigation\\n• Stakeholder notification"
43
      }
44
    }
45
  ]
46
}

3. Compliance Monitoring Workflow#

1
{
2
  "name": "Daily Compliance Check",
3
  "nodes": [
4
    {
5
      "name": "Schedule Trigger",
6
      "type": "n8n-nodes-base.cron",
7
      "parameters": {
8
        "trigger": "0 6 * * *"
9
      }
10
    },
11
    {
12
      "name": "PCI DSS Compliance Check",
13
      "type": "wazuhMcp",
14
      "parameters": {
15
        "operation": "query",
16
        "query": "Perform PCI DSS compliance assessment:\n1. Check encryption status for cardholder data\n2. Validate access controls on payment systems\n3. Review firewall configurations\n4. Audit user access logs\n5. Generate compliance score and recommendations"
17
      }
18
    },
19
    {
20
      "name": "HIPAA Compliance Check",
21
      "type": "wazuhMcp",
22
      "parameters": {
23
        "operation": "query",
24
        "query": "Assess HIPAA compliance:\n1. PHI access monitoring\n2. Audit trail completeness\n3. Encryption verification\n4. User authentication validation\n5. Risk assessment update"
25
      }
26
    },
27
    {
28
      "name": "Generate Report",
29
      "type": "n8n-nodes-base.function",
30
      "parameters": {
31
        "functionCode": "// Compile compliance reports\nconst pci = $input.all()[0].json;\nconst hipaa = $input.all()[1].json;\n\nconst report = {\n  date: new Date().toISOString().split('T')[0],\n  frameworks: {\n    'PCI-DSS': {\n      score: pci.complianceScore,\n      status: pci.complianceScore >= 80 ? 'Compliant' : 'Non-Compliant',\n      gaps: pci.gaps || [],\n      recommendations: pci.recommendations || []\n    },\n    'HIPAA': {\n      score: hipaa.complianceScore,\n      status: hipaa.complianceScore >= 85 ? 'Compliant' : 'Non-Compliant',\n      gaps: hipaa.gaps || [],\n      recommendations: hipaa.recommendations || []\n    }\n  },\n  overallStatus: (pci.complianceScore >= 80 && hipaa.complianceScore >= 85) ? 'Compliant' : 'Action Required'\n};\n\nreturn [{ json: report }];"
32
      }
33
    },
34
    {
35
      "name": "Email Report",
36
      "type": "n8n-nodes-base.emailSend",
37
      "parameters": {
38
        "to": "compliance@company.com,ciso@company.com",
39
        "subject": "Daily Compliance Report - {{ $json.date }}",
40
        "html": "<h2>Daily Compliance Report</h2>\\n<p><strong>Date:</strong> {{ $json.date }}</p>\\n<p><strong>Overall Status:</strong> {{ $json.overallStatus }}</p>\\n\\n<h3>PCI DSS Compliance</h3>\\n<p><strong>Score:</strong> {{ $json.frameworks['PCI-DSS'].score }}%</p>\\n<p><strong>Status:</strong> {{ $json.frameworks['PCI-DSS'].status }}</p>\\n\\n<h3>HIPAA Compliance</h3>\\n<p><strong>Score:</strong> {{ $json.frameworks['HIPAA'].score }}%</p>\\n<p><strong>Status:</strong> {{ $json.frameworks['HIPAA'].status }}</p>\\n\\n{{ $json.overallStatus === 'Action Required' ? '<p style=\"color: red;\"><strong>Action Required:</strong> Review compliance gaps and implement recommendations.</p>' : '' }}"
41
      }
42
    }
43
  ]
44
}

4. Threat Hunting Automation#

1
{
2
  "name": "Continuous Threat Hunting",
3
  "nodes": [
4
    {
5
      "name": "Hourly Hunt Trigger",
6
      "type": "n8n-nodes-base.cron",
7
      "parameters": {
8
        "trigger": "0 * * * *"
9
      }
10
    },
11
    {
12
      "name": "AI Threat Hunt",
13
      "type": "wazuhMcp",
14
      "parameters": {
15
        "operation": "query",
16
        "query": "Execute threat hunting queries:\n1. Search for living-off-the-land techniques\n2. Identify anomalous network connections\n3. Hunt for privilege escalation attempts\n4. Detect lateral movement patterns\n5. Find data exfiltration indicators\n\nPrioritize findings by risk score and provide hunting recommendations."
17
      }
18
    },
19
    {
20
      "name": "Process Findings",
21
      "type": "n8n-nodes-base.function",
22
      "parameters": {
23
        "functionCode": "// Process threat hunting findings\nconst huntResults = $input.all()[0].json;\n\nconst findings = [];\n\n// Process each hunt result\nif (huntResults.findings && huntResults.findings.length > 0) {\n  for (const finding of huntResults.findings) {\n    if (finding.riskScore >= 7) {\n      findings.push({\n        type: 'threat',\n        severity: 'high',\n        finding: finding,\n        action: 'investigate',\n        assignee: 'threat-hunter-team'\n      });\n    } else if (finding.riskScore >= 4) {\n      findings.push({\n        type: 'suspicious',\n        severity: 'medium',\n        finding: finding,\n        action: 'monitor',\n        assignee: 'security-analyst'\n      });\n    }\n  }\n}\n\nreturn findings.length > 0 ? findings.map(f => ({ json: f })) : [{ json: { message: 'No significant findings' } }];"
24
      }
25
    },
26
    {
27
      "name": "Create Investigation Tasks",
28
      "type": "n8n-nodes-base.jira",
29
      "parameters": {
30
        "operation": "create",
31
        "project": "SEC",
32
        "issueType": "Task",
33
        "summary": "Threat Hunt Finding: {{ $json.finding.description }}",
34
        "description": "Risk Score: {{ $json.finding.riskScore }}/10\\n\\nDetails:\\n{{ $json.finding.details }}\\n\\nRecommended Actions:\\n{{ $json.finding.recommendations }}",
35
        "priority": "{{ $json.severity === 'high' ? 'High' : 'Medium' }}",
36
        "assignee": "{{ $json.assignee }}"
37
      }
38
    }
39
  ]
40
}

Advanced MCP Security Patterns#

1. Multi-Stage Security Analysis#

1
// n8n Function Node: Multi-stage analysis
2
const stages = [
3
  {
4
    name: 'initial_triage',
5
    query: 'Perform initial security event triage and classification'
6
  },
7
  {
8
    name: 'deep_analysis',
9
    query: 'Conduct deep forensic analysis of security event'
10
  },
11
  {
12
    name: 'threat_context',
13
    query: 'Provide threat intelligence context and attribution'
14
  },
15
  {
16
    name: 'response_plan',
17
    query: 'Generate comprehensive incident response plan'
18
  }
19
];
20

21
const results = [];
22

23
for (const stage of stages) {
24
  const response = await this.helpers.httpRequest({
25
    method: 'POST',
26
    url: `${$credential.wazuhMcpApi.url}/ai/query`,
27
    body: {
28
      query: stage.query,
29
      context: results.length > 0 ? results : undefined
30
    },
31
    headers: {
32
      'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
33
      'Content-Type': 'application/json',
34
    },
35
  });
36

37
  results.push({
38
    stage: stage.name,
39
    result: response,
40
    timestamp: new Date().toISOString()
41
  });
42
}
43

44
return [{ json: { analysis: results, final_recommendation: results[results.length - 1] } }];

2. Collaborative Security Workflows#

1
// n8n Function Node: Multi-agent security collaboration
2
const securityAgents = [
3
  {
4
    role: 'threat_hunter',
5
    query: 'Hunt for advanced persistent threats in the environment'
6
  },
7
  {
8
    role: 'incident_responder',
9
    query: 'Provide incident response recommendations'
10
  },
11
  {
12
    role: 'forensic_analyst',
13
    query: 'Conduct forensic analysis of security artifacts'
14
  },
15
  {
16
    role: 'compliance_auditor',
17
    query: 'Assess compliance implications of security event'
18
  }
19
];
20

21
const collaborationResults = [];
22

23
// Execute agents in parallel
24
const promises = securityAgents.map(async (agent) => {
25
  const response = await this.helpers.httpRequest({
26
    method: 'POST',
27
    url: `${$credential.wazuhMcpApi.url}/agents/${agent.role}/analyze`,
28
    body: {
29
      query: agent.query,
30
      alert: $json.securityAlert
31
    },
32
    headers: {
33
      'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
34
      'Content-Type': 'application/json',
35
    },
36
  });
37

38
  return {
39
    agent: agent.role,
40
    analysis: response,
41
    timestamp: new Date().toISOString()
42
  };
43
});
44

45
const results = await Promise.all(promises);
46

47
// Synthesize findings
48
const synthesis = await this.helpers.httpRequest({
49
  method: 'POST',
50
  url: `${$credential.wazuhMcpApi.url}/ai/synthesize`,
51
  body: {
52
    query: 'Synthesize multi-agent security analysis into unified recommendations',
53
    agentResults: results
54
  },
55
  headers: {
56
    'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
57
    'Content-Type': 'application/json',
58
  },
59
});
60

61
return [{ json: { agentResults: results, synthesis } }];

3. Adaptive Security Workflows#

1
// n8n Function Node: Adaptive workflow based on threat intelligence
2
const alertData = $json;
3

4
// Get current threat landscape
5
const threatContext = await this.helpers.httpRequest({
6
  method: 'POST',
7
  url: `${$credential.wazuhMcpApi.url}/threat-intel/context`,
8
  body: { alert: alertData },
9
  headers: {
10
    'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
11
    'Content-Type': 'application/json',
12
  },
13
});
14

15
// Adapt workflow based on context
16
let workflowPath = 'standard';
17

18
if (threatContext.activeCampaign) {
19
  workflowPath = 'campaign_response';
20
} else if (threatContext.criticalVulnerability) {
21
  workflowPath = 'vulnerability_response';
22
} else if (threatContext.insiderThreat) {
23
  workflowPath = 'insider_investigation';
24
}
25

26
// Execute adaptive analysis
27
const adaptiveQuery = {
28
  'standard': 'Perform standard security analysis',
29
  'campaign_response': 'Analyze in context of active threat campaign',
30
  'vulnerability_response': 'Focus on vulnerability exploitation patterns',
31
  'insider_investigation': 'Investigate potential insider threat activity'
32
}[workflowPath];
33

34
const analysis = await this.helpers.httpRequest({
35
  method: 'POST',
36
  url: `${$credential.wazuhMcpApi.url}/ai/analyze`,
37
  body: {
38
    query: adaptiveQuery,
39
    alert: alertData,
40
    context: threatContext
41
  },
42
  headers: {
43
    'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
44
    'Content-Type': 'application/json',
45
  },
46
});
47

48
return [{
49
  json: {
50
    workflowPath,
51
    threatContext,
52
    analysis,
53
    adaptiveRecommendations: analysis.recommendations
54
  }
55
}];

Performance and Scaling#

1. Batch Processing for High-Volume Alerts#

1
// n8n Function Node: Batch alert processing
2
const BATCH_SIZE = 50;
3
const alerts = $input.all();
4
const batches = [];
5

6
// Create batches
7
for (let i = 0; i < alerts.length; i += BATCH_SIZE) {
8
  batches.push(alerts.slice(i, i + BATCH_SIZE));
9
}
10

11
// Process batches in parallel
12
const processPromises = batches.map(async (batch, index) => {
13
  const batchAnalysis = await this.helpers.httpRequest({
14
    method: 'POST',
15
    url: `${$credential.wazuhMcpApi.url}/ai/batch-analyze`,
16
    body: {
17
      alerts: batch.map(item => item.json),
18
      batchId: index
19
    },
20
    headers: {
21
      'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
22
      'Content-Type': 'application/json',
23
    },
24
  });
25

26
  return batchAnalysis;
27
});
28

29
const batchResults = await Promise.all(processPromises);
30

31
// Combine results
32
const combinedResults = batchResults.flat();
33

34
return combinedResults.map(result => ({ json: result }));

2. Intelligent Caching#

1
// n8n Function Node: Intelligent caching for frequent queries
2
const cacheKey = `mcp_analysis_${$json.ruleId}_${$json.agentId}`;
3
const cacheTTL = 300; // 5 minutes
4

5
// Check cache first
6
let cachedResult = await this.helpers.httpRequest({
7
  method: 'GET',
8
  url: `${$credential.redis.url}/get/${cacheKey}`,
9
  headers: { 'Authorization': `Bearer ${$credential.redis.token}` },
10
});
11

12
if (cachedResult && cachedResult.value) {
13
  // Return cached result
14
  return [{ json: JSON.parse(cachedResult.value) }];
15
}
16

17
// No cache hit, query MCP
18
const mcpResult = await this.helpers.httpRequest({
19
  method: 'POST',
20
  url: `${$credential.wazuhMcpApi.url}/ai/query`,
21
  body: {
22
    query: $json.query,
23
    alert: $json.alert
24
  },
25
  headers: {
26
    'Authorization': `Bearer ${$credential.wazuhMcpApi.token}`,
27
    'Content-Type': 'application/json',
28
  },
29
});
30

31
// Cache the result
32
await this.helpers.httpRequest({
33
  method: 'POST',
34
  url: `${$credential.redis.url}/set`,
35
  body: {
36
    key: cacheKey,
37
    value: JSON.stringify(mcpResult),
38
    ttl: cacheTTL
39
  },
40
  headers: {
41
    'Authorization': `Bearer ${$credential.redis.token}`,
42
    'Content-Type': 'application/json',
43
  },
44
});
45

46
return [{ json: mcpResult }];

Conclusion#

n8n provides a powerful platform for building sophisticated automation workflows that combine traditional integration patterns with modern AI capabilities. By leveraging its 400+ integrations, visual workflow builder, and flexible architecture, you can automate complex business processes while maintaining full control over your data and logic.

The combination of no-code simplicity and code-level flexibility makes n8n ideal for teams ranging from small startups to large enterprises, enabling them to build, deploy, and scale automation workflows that drive real business value.