AI SOC Analyst L1 - For Wazuh SIEM + Guide

You get 200–400 Wazuh alerts a day. One is a real attack. This n8n workflow finds it — automatically, in ~7 seconds per alert, while you drink your coffee.

Manual triage doesn't scale. The same five scanner IPs, the same failed password for invalid user and buried on page 7, the brute-force that actually became a reverse shell. Copy-pasting IPs into VirusTotal at midnight is not a security program.

This is. Import one n8n workflow, point Wazuh at the webhook, and every level 12+ alert becomes a structured, MITRE-mapped incident report — enriched, scored, and (optionally) auto-contained. No human in the loop unless action is required.

How it works

The moment Wazuh fires, the workflow enriches the IP with VirusTotal + AbuseIPDB, pulls the 12 most relevant events from your Wazuh Indexer for context, and hands it all to a local LLM (Ollama — your data never leaves your network).

Out comes a clean report: attack type, severity, MITRE technique, and containment steps. If the threat score clears your threshold and the IP isn't whitelisted, it can block the attacker via Wazuh active-response — behind a dry-run switch that ships ON.

What's inside

- One CONFIGURATION node — every setting in one place (keys, thresholds, whitelist, channel, dry-run). No hunting through 30 nodes.

- Dual threat intel fused into a single 0–100 Combined Threat Score

- Wazuh Indexer context — field-filtered to ~3 KB, so the AI sees the pattern, not noise

- AI incident reports — consistent, MITRE-mapped, written in 5 seconds

- 5 notification channels — Discord, Slack, Telegram, SMTP email, and a polished HTML email with a severity-colored header

- Auto-block with 4 safety gates + dry-run mode — it won't touch a firewall until all four say yes

- Guardrails — dedup/cooldown (no notification floods) and input sanitization (no weaponized alerts)

- TheHive case creation + Google Sheets incident log (toggle on/off)

- Error-alert circuit — any node failure pings you with the details

Who it's for

• Solo defenders drowning in alerts • small SOC teams (1–5) killing tier-1 toil • MSSPs needing consistent response across clients • engineers who built Wazuh but never wired up automated response.

Not a managed SaaS — a self-hosted workflow you own and audit. Every decision is a node you can inspect.

Run it tonight

Import the JSON, fill in the CONFIGURATION node, point your Wazuh integrator at the webhook. Watch your first AI-triaged report land in your channel.

30-day refund — but reach out first; most issues are a one-line config fix.