Ability.ai Logo ability.ai Agent Hub
Animated data flow diagram

AI Cybersecurity Incident Responder & MITRE ATT&CK Analyst Agent

Version: 1.0.0 | Last Updated: 2025-05-16

Integrates with:

OpenAI Qdrant Zendesk Google Drive Langchain

Overview

Unlock Advanced Cybersecurity Insights with this AI Agent

This n8n workflow acts as a powerful AI-driven cybersecurity assistant. It's designed to significantly streamline your Security Operations (SecOps) by automatically processing security alerts (e.g., from Zendesk tickets or adaptable to SIEM systems), enriching them using the comprehensive MITRE ATT&CK framework stored in a Qdrant vector database, and generating actionable insights. The agent delivers TTPs (Tactics, Techniques, and Procedures), specific remediation steps, and relevant historical context. Furthermore, it includes a chat interface, allowing your team to interactively query the MITRE ATT&CK knowledge base for deeper investigations.

This AI Agent is composed of three key functionalities:

  1. Data Ingestion: A flow to populate your Qdrant vector store with MITRE ATT&CK data (or other relevant security knowledge bases).
  2. Automated Alert Enrichment: A flow that processes incoming alerts (e.g., Zendesk tickets), uses an AI agent to analyze them against the MITRE ATT&CK data in Qdrant, and updates the alert/ticket with structured findings and remediation advice.
  3. Interactive Chat: A chat-triggered AI agent that allows users to ask natural language questions about cybersecurity threats and receive contextual answers sourced from the MITRE ATT&CK data in Qdrant.

Key Features & Benefits

  • AI-Driven Alert Enrichment: Leverages OpenAI's GPT-4o and text-embedding-3-large models to analyze alerts, map them to MITRE ATT&CK TTPs, and provide deep contextual understanding.
  • Automated Incident Response Guidance: Generates structured, actionable remediation steps tailored to each specific alert, reducing manual research and response time.
  • Deep MITRE ATT&CK Integration: Ingests and utilizes MITRE ATT&CK data for comprehensive threat context, enabling more informed security decisions.
  • Vector Store Powered by Qdrant: Employs Qdrant for efficient, scalable similarity searches across your security knowledge base, ensuring rapid information retrieval.
  • Interactive Chat Interface: Empowers security analysts to directly query the MITRE ATT&CK framework and other embedded knowledge using natural language, facilitating faster investigations and learning.
  • Zendesk Integration (Adaptable): Comes with a ready-to-use Zendesk integration to automatically update tickets with AI-generated analysis. Easily adaptable to other ticketing systems, SIEMs, or alert sources.
  • Structured & Actionable Output: Delivers analysis in a consistent, structured format (HTML for tickets, JSON for backend processing), making it easy to use and integrate into existing SecOps workflows.
  • Customizable Knowledge Base: While pre-configured for MITRE ATT&CK, the data ingestion flow can be adapted to include your own internal security documentation or other threat intelligence feeds.

Use Cases

  • Automating Level 1 security alert triage and initial investigation.
  • Enriching SIEM alerts or helpdesk tickets with detailed MITRE ATT&CK threat intelligence.
  • Providing security analysts with instant access to TTPs, remediation guidance, and attack patterns.
  • Building a custom, interactive knowledge base for your security team from MITRE ATT&CK and other sources.
  • Significantly reducing manual research time for incident responders and SOC analysts.
  • Standardizing incident response documentation with consistent, AI-generated reports.
  • Onboarding new security team members by providing an easy way to query and learn from established frameworks.

Prerequisites

  • An n8n instance (Cloud or self-hosted).
  • OpenAI API Key with access to a GPT-4 model (e.g., gpt-4o) and embedding models (e.g., text-embedding-3-large).
  • Qdrant instance (Cloud or self-hosted) and API credentials. Ensure the Qdrant collection is configured for the correct embedding dimensions (e.g., 1536 for text-embedding-3-large).
  • Google Drive credentials (if using the provided MITRE data ingestion flow from Google Drive).
  • Zendesk API credentials (if using the Zendesk ticket enrichment functionality).
  • A JSON file containing MITRE ATT&CK data, structured appropriately for ingestion (the workflow's 'Default Data Loader' node shows expected fields like id, name, description, kill_chain_phases, external_references).

Setup Instructions

  1. Download the n8n workflow JSON file.

  2. Import the workflow into your n8n instance.

  3. Part 1: Embed MITRE ATT&CK Data into Qdrant (Run this part first)

    • Locate the manual trigger 'When clicking ‘Test workflow’'.
    • Configure the 'Pull Mitre Data From Gdrive' node with your Google Drive credentials and the File ID of your MITRE ATT&CK JSON data. (Alternatively, replace this node and 'Extract from File' with your own data source and parsing logic).
    • In the 'Embeddings OpenAI1' node (connected to 'Embed JSON in Qdrant Collection'), enter your OpenAI API Key.
    • Configure the 'Embed JSON in Qdrant Collection' node:
      • Set your Qdrant API credentials.
      • Specify the qdrantCollection name (e.g., "mitre"). You'll need to create this collection in your Qdrant instance beforehand, ensuring its vector configuration matches the OpenAI embedding model (e.g., size 1536 for text-embedding-3-large).
    • Manually execute the workflow starting from the 'When clicking ‘Test workflow’' node to populate your Qdrant collection. Monitor for successful completion.

  4. Part 2: Configure AI Agent for Zendesk Ticket Enrichment

    • Locate the 'Get all Zendesk Tickets' node.
    • Configure it with your Zendesk API credentials.
    • In the 'AI Agent1' node:
      • Review and customize the systemMessage if desired.
      • Ensure its 'OpenAI Chat Model1' (e.g., gpt-4o) and 'Embeddings OpenAI' (connected to 'Qdrant Vector Store query') are configured with your OpenAI API Key.
    • Configure the 'Qdrant Vector Store query' node (connected as a tool to 'AI Agent1') with your Qdrant credentials and the same collection name used in Part 1.
    • Review the jsonSchemaExample in the 'Structured Output Parser' node. This defines the structure of the AI's response. Adjust if necessary.
    • Configure the 'Update Zendesk with Mitre Data' node with your Zendesk API credentials. Ensure the custom fields referenced (e.g., for TTP ID, Tactic) exist in your Zendesk instance and map the AI output correctly.
    • Activate this part of the workflow (e.g., on a schedule, or trigger it via webhook from Zendesk).

  5. Part 3: Configure Interactive Chat AI Agent

    • Locate the 'When chat message received' trigger node.
    • In the 'AI Agent' node:
      • Review and customize the systemMessage.
      • Ensure its 'OpenAI Chat Model' (e.g., gpt-4o) and 'Embeddings OpenAI2' (connected to 'Query Qdrant Vector Store') are configured with your OpenAI API Key.
    • Configure the 'Query Qdrant Vector Store' node (connected as a tool to 'AI Agent') with your Qdrant credentials and collection name.
    • Activate this workflow. You can then interact with it via the chat interface provided by the 'When chat message received' trigger.

  6. Test each part of the workflow thoroughly after configuration to ensure data flows and AI responses are as expected.

Tags:

AI AgentCybersecurityIncident ResponseMITRE ATT&CKOpenAIQdrantVector DatabaseAutomationSecOpsZendeskLangchainThreat Intelligence

Want your own unique AI agent?

Talk to us - we know how to build custom AI agents for your specific needs.

Schedule a Consultation