Incident Classifier β Tag Alert Severity with GPT and Trigger Actions
π€ Who itβs for
Blue Team leads, SOC analysts, and IT responders looking to automatically classify security alerts using AI-driven logic and asset-based risk signals.
Ideal for teams already scoring threats via CyberScan or BlueOps Module 3, and needing to prioritize next steps across Monitor / Investigate / Isolate / Escalate playbooks.
βοΈ How it works / What it does
- Reads recent endpoint alerts from Google Sheets
- Sends alert data (hostname, IP, risk score) to OpenAI GPT model
- GPT returns structured JSON with:
- severity tag (Low / Medium / High / Critical)
- action recommendation (Monitor / Investigate / Isolate / Escalate)
- Logs the full result to a centralized incident sheet
- Can be expanded to trigger automated EDR actions or email alerts
π οΈ How to set up
- Insert OpenAI API Key
- Replace placeholder with your actual OpenAI secret in the HTTP Request node
- Connect Sheets
- Use your OAuth2 credentials to access the alerts input + classified log sheet
- Tune GPT Prompt
- Adjust language or risk thresholds inside the π§ Classify Incident (GPT) node
- Automation
- Add a Cron node or Webhook to run every X minutes/hours
π Requirements
- OpenAI API key (GPT-4 or GPT-3.5 supported)
- Google Sheets (or similar DB with alerts)
- n8n credentials for Sheets access
- Optional: Connected playbook actions or EDR endpoint logic
π§© How to customize the workflow
- Swap GPT with Claude, Gemini, or local LLM via API
- Replace Google Sheets with Supabase or Airtable
- Add a playbook router for Notify / Isolate logic
- Integrate email or ticketing notification step
π¦ This is a production-grade, AI-powered classification engine.
All inputs and tags are configurable. Safe placeholders are marked clearly.
π This module is part of the CYBERPULSEBlueOps Pro automation suite.
Explore the full set at π cyberpulsesolutions.com/blueops