使用Wazuh、ClamAV和GPT-4自动修复终端感染
中级
这是一个SecOps, AI Summarization领域的自动化工作流,包含 9 个节点。主要使用 If, Ssh, Webhook, Telegram, Agent 等节点。 使用Wazuh、ClamAV和GPT-4自动修复终端感染
前置要求
- •HTTP Webhook 端点(n8n 会自动生成)
- •Telegram Bot Token
- •OpenAI API Key
工作流预览
可视化展示节点连接关系,支持缩放和平移
导出工作流
复制以下 JSON 配置到 n8n 导入,即可使用此工作流
{
"meta": {
"instanceId": "04efa85563ff59ae71f7bc1e4ed9a086a69f4130298a28a588ae58f08407702b",
"templateCredsSetupCompleted": true
},
"nodes": [
{
"id": "fb1f79ac-2b5a-4bac-8f49-9d4938ea8c9b",
"name": "Wazuh告警",
"type": "n8n-nodes-base.webhook",
"position": [
-640,
-112
],
"webhookId": "de0c6d77-ae71-4d78-9f10-502eaa851ce8",
"parameters": {
"path": "de0c6d77-ae71-4d78-9f10-502eaa851ce8",
"options": {
"rawBody": true
},
"httpMethod": "POST"
},
"typeVersion": 2
},
{
"id": "961ed6cb-a6b7-401f-a2b5-aaadf91ab4f1",
"name": "无操作,不执行任何操作",
"type": "n8n-nodes-base.noOp",
"position": [
-112,
32
],
"parameters": {},
"typeVersion": 1
},
{
"id": "6ed0c622-e956-46da-87bb-82d96548f108",
"name": "OpenAI 聊天模型",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
-96,
-144
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {}
},
"credentials": {
"openAiApi": {
"id": "Qf3yZKrzzR0LSOXm",
"name": "OpenAi account"
}
},
"typeVersion": 1.2
},
{
"id": "84cfeaa8-db3b-48be-a89d-fd2f9a3d66ec",
"name": "OpenAI 聊天模型1",
"type": "@n8n/n8n-nodes-langchain.lmChatOpenAi",
"position": [
304,
-48
],
"parameters": {
"model": {
"__rl": true,
"mode": "list",
"value": "gpt-4.1-mini"
},
"options": {}
},
"credentials": {
"openAiApi": {
"id": "Qf3yZKrzzR0LSOXm",
"name": "OpenAi account"
}
},
"typeVersion": 1.2
},
{
"id": "b8e61b73-87fd-4511-9514-03135d34c348",
"name": "检查高严重性",
"type": "n8n-nodes-base.if",
"position": [
-416,
-112
],
"parameters": {
"options": {
"ignoreCase": true
},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": false,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "0c8dba85-ab11-4ef9-9049-d3ad934976ef",
"operator": {
"name": "filter.operator.equals",
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.body.severity }}",
"rightValue": "3 high"
},
{
"id": "2a4587f8-ccae-435c-8c67-1606811538a2",
"operator": {
"name": "filter.operator.equals",
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.body.rule_id }}",
"rightValue": "=52502"
}
]
}
},
"typeVersion": 2.2
},
{
"id": "cad813f2-fb68-4e31-a85c-5732f11f4f96",
"name": "汇总告警",
"type": "@n8n/n8n-nodes-langchain.chainSummarization",
"position": [
-192,
-368
],
"parameters": {
"options": {
"summarizationMethodAndPrompts": {
"values": {
"prompt": "Write a detailed concise summary of the following as a Senior soc analyst:\n\n\n\"{text}\"\n\n\nCONCISE SUMMARY:",
"combineMapPrompt": "=You are the Wazuh AI Assistant created by Mariskarthick. \n\nYou should act as a Senior experienced SOC Analyst\n\nYour main purpose is to run the ClamAV if wazuh siem detected a ClamAV: Virus detected alert. you have full access to the all the machines via ssh and initate a CLAM AV scan using this command sudo clamscan -r \"mention the path where the virus is detected\" --bell -i\n\nfor example: sudo clamscan -r /test --bell -i\n\nonce the scanning is done, consolidate the output of the scan and initiate a msg to stateholder via shadowArk telegram trigger\n\nyou can refer the below details:\n Wazuh detected alert Name: {{ $json.body.title }}\nFull log: {{ $json.body.text }}\n"
}
}
}
},
"typeVersion": 2.1
},
{
"id": "3c6645a6-3d16-48ec-8f35-a850244c3536",
"name": "提取路径",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
208,
-256
],
"parameters": {
"text": "={{ $json.output.text }}\n\nYou are the wazuh AI Assistant. your primary task is to understand the abive mentioend text and extract the path where the virus got detected on the below format:\n\nExamle: \n\ntext:\nA high-severity WAZUH alert was triggered on July 30, 2025, indicating ClamAV detected the EICAR test virus (EICAR.TEST.3.UNOFFICIAL) in the file `/test/eicar.com` on the host `shadowark`. The detection was logged by the ClamAV daemon (clamd) and confirmed repeatedly at 13:44:27, involving components such as freshclam and journald. The alert originated from IP `122.178.166.190` accessing `3aad845638746618f1a5187d93674f5f.n8n.selfmade.codes` via HTTPS.\n\noutput required:\n/test/eicar.com",
"options": {},
"promptType": "define"
},
"typeVersion": 2.1
},
{
"id": "f44a9bc0-46d4-45c3-aaaa-3bf2eb567578",
"name": "运行杀毒扫描",
"type": "n8n-nodes-base.ssh",
"position": [
608,
-256
],
"parameters": {
"command": "=clamscan -r {{ $json.output }} --bell -i"
},
"credentials": {
"sshPassword": {
"id": "ounO8RvAyII5YqON",
"name": "Wazuh_Manager"
}
},
"typeVersion": 1
},
{
"id": "8858c573-ad0b-4f14-8a19-993a93f6d8ca",
"name": "通过Telegram通知利益相关者",
"type": "n8n-nodes-base.telegram",
"position": [
816,
-272
],
"webhookId": "4f1045ae-5d81-46fc-b0ae-7146529a9700",
"parameters": {
"text": "=Notification: \n\n{{ $('Summarize Alert').item.json.output.text }}\n\n\nFollowed by the above activity, the scanning has been initiated and completed successfully. please find the below details.\n\n{{ $json.stdout }}\n\nThank you!\nMariskarthick M",
"chatId": "831690003",
"additionalFields": {}
},
"credentials": {
"telegramApi": {
"id": "kb3ymxZjowjLNhLb",
"name": "Shadowark AI"
}
},
"typeVersion": 1.2
}
],
"pinData": {},
"connections": {
"Run AV Scan": {
"main": [
[
{
"node": "Notify Stateholders via Telegram",
"type": "main",
"index": 0
}
]
]
},
"Wazuh Alert": {
"main": [
[
{
"node": "Check High Severity",
"type": "main",
"index": 0
}
]
]
},
"Extract Path": {
"main": [
[
{
"node": "Run AV Scan",
"type": "main",
"index": 0
}
]
]
},
"Summarize Alert": {
"main": [
[
{
"node": "Extract Path",
"type": "main",
"index": 0
}
]
]
},
"OpenAI Chat Model": {
"ai_languageModel": [
[
{
"node": "Summarize Alert",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"OpenAI Chat Model1": {
"ai_languageModel": [
[
{
"node": "Extract Path",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Check High Severity": {
"main": [
[
{
"node": "Summarize Alert",
"type": "main",
"index": 0
}
],
[
{
"node": "No Operation, do nothing",
"type": "main",
"index": 0
}
]
]
}
}
}常见问题
如何使用这个工作流?
复制上方的 JSON 配置代码,在您的 n8n 实例中创建新工作流并选择「从 JSON 导入」,粘贴配置后根据需要修改凭证设置即可。
这个工作流适合什么场景?
中级 - 安全运维, AI 摘要总结
需要付费吗?
本工作流完全免费,您可以直接导入使用。但请注意,工作流中使用的第三方服务(如 OpenAI API)可能需要您自行付费。
相关工作流推荐
Wazuh_Alert_Investigation 副本
使用 GPT-4o-mini 和 Telegram 自动化 Wazuh 告警分诊和报告
If
Webhook
Telegram
+3
6 节点mariskarthick
安全运维
Wazuh RuleOpsX – 自动验证、部署与提升检测能力
使用GitHub、XML验证和Telegram警报自动部署Wazuh规则管道
If
Ssh
Code
+4
14 节点mariskarthick
安全运维
AI安防SOPHOS
使用Sophos、Gemini AI和VirusTotal的自动化安全警报分析
If
Code
Webhook
+5
9 节点Rizky Febriyan
安全运维
网络安全助手:GPT-4、Telegram机器人及命令执行
集成GPT-4、Telegram机器人和命令执行功能的网络安全助手
Telegram
Telegram Tool
Agent
+7
13 节点mariskarthick
安全运维
AI招聘官 - 多简历分析器
使用OpenAI GPT分析多份简历与职位描述的匹配度
If
Code
Webhook
+7
18 节点Ms. Phuong Nguyen (phuongntn)
人力资源
使用 AI 和 Gmail 自动更新 YNAB 中的亚马逊交易备注
使用 AI 和 Gmail 自动更新 YNAB 中的亚马逊交易备注
If
Set
Wait
+13
30 节点Angel Menendez
文档提取
工作流信息
难度等级
中级
节点数量9
分类2
节点类型8
作者
mariskarthick
@mariskarthickAn Opensource Enthusiast specializing in detection engineering, threat hunting, and automating security operations to accelerate threat detection and response.
外部链接
在 n8n.io 查看 →
分享此工作流