AI SOC Analyst L1 - For Wazuh SIEM

You get 200–400 Wazuh alerts a day. One is a real attack. This n8n workflow finds it — automatically, in ~7 seconds per alert, while you drink your coffee. Manual triage doesn't scale. The same five scanner IPs, the same failed password for invalid user and buried on page 7, the brute-force that actually became a reverse shell. Copy-pasting IPs into VirusTotal at midnight is not a security program. This is. Import one n8n workflow, point Wazuh at the webhook, and every level 12+ alert becomes a structured, MITRE-mapped incident report — enriched, scored, and (optionally) auto-contained. No human in the loop unless action is required. How it works The moment Wazuh fires, the workflow enriches the IP with VirusTotal + AbuseIPDB, pulls the 12 most relevant events from your Wazuh Indexer for context, and hands it all to a local LLM (Ollama — your data never leaves your network). Out comes a clean report: attack type, severity, MITRE technique, and containment steps. If the threat score clears your threshold and the IP isn't whitelisted, it can block the attacker via Wazuh active-response — behind a dry-run switch that ships ON. What's inside - One CONFIGURATION node — every setting in…