AI MITRE ATT&CK Cyber Assistant for Threat Analysis & Enrichment

Unlock Advanced Threat Intelligence with this AI Agent

This n8n workflow acts as a sophisticated AI Cybersecurity Assistant. It's designed to dramatically improve your security operations by automatically processing security data (like SIEM alerts or Zendesk tickets) and enriching it with deep contextual information from the MITRE ATT&CK framework. The agent uses OpenAI's powerful language models (GPT-4o) to understand alerts, query a Qdrant vector store loaded with MITRE ATT&CK data, and generate actionable insights.

This AI Agent possesses two primary abilities:

1. Automated Ticket/Alert Enrichment: It fetches Zendesk tickets (and can be adapted for other alert sources like SIEMs), analyzes their content using its AI capabilities, queries its MITRE ATT&CK vector store for relevant Tactics, Techniques, and Procedures (TTPs), and then updates the tickets with a concise summary, identified TTPs (including tactic, technique name, and ID), specific remediation steps, historical patterns, and links to external resources for deeper dives.
2. Interactive MITRE ATT&CK Chat: It offers a chat interface, allowing you to directly converse with its MITRE ATT&CK knowledge base. Ask questions about specific threats, TTPs, or incident scenarios, and the AI Agent will provide informed responses based on the embedded cybersecurity data.

A one-time setup process facilitates the loading and embedding of MITRE ATT&CK data (sourced from a JSON file, example via Google Drive) into a Qdrant vector store, making this critical knowledge instantly accessible for rapid, AI-driven querying.

Key Features & Benefits

• AI-Driven Alert Analysis: Leverages OpenAI GPT-4o for nuanced interpretation of security alert data and extraction of key information.
• MITRE ATT&CK Integration: Automatically identifies and tags Tactics, Techniques, and Procedures (TTPs) with their respective IDs and names directly from the MITRE ATT&CK framework.
• Actionable Remediation: Generates specific, actionable remediation steps tailored to the identified threats, helping your team respond faster and more effectively.
• Contextual Enrichment: Cross-references historical patterns and related alerts, providing a broader understanding of incidents and potential campaigns.
• Resource Recommendations: Suggests relevant external resources (e.g., security vendor reports, MITRE ATT&CK technique pages) for deeper investigation and learning.
• Zendesk Automation: Seamlessly integrates with Zendesk to fetch tickets and autonomously update them with AI-generated analysis and MITRE context. Easily adaptable for other ticketing or SIEM systems.
• Qdrant Vector Store (RAG): Utilizes a Qdrant vector store for efficient storage and retrieval of MITRE ATT&CK knowledge, enabling fast and relevant information lookup through Retrieval Augmented Generation (RAG).
• Interactive Querying: Allows direct, conversational interaction with your cybersecurity knowledge base via an n8n chat interface.
• Structured Output: Provides analysis in a structured HTML and JSON format for easy readability, integration, and automated downstream processing.
• Customizable & Extensible: Built on n8n, offering full flexibility to modify, extend, and integrate with your existing security toolchain and workflows.

• An n8n instance (Cloud or self-hosted).
• OpenAI API Key with access to a GPT-4o model (or comparable).
• Qdrant instance (Cloud or self-hosted) with API credentials.
• Zendesk API credentials (if using the Zendesk ticket enrichment functionality).
• Google Drive account and credentials (for the example MITRE ATT&CK data loading method, can be replaced with other data sources).
• MITRE ATT&CK data in JSON format (the workflow includes a step to pull a sample from Google Drive, or you can use your own comprehensive dataset).

1. Download the n8n workflow JSON file.
2. Import the workflow into your n8n instance.
3. Part 1: Populate Qdrant Vector Store with MITRE ATT&CK Data (Run Once or as needed for updates) a. Locate the manual trigger node named 'When clicking ‘Test workflow’'. This branch of the workflow is designed to populate your Qdrant vector store. b. Configure the 'Pull Mitre Data From Gdrive' node: Set up your Google Drive credentials. Ensure the File ID points to your MITRE ATT&CK JSON data file. (A sample file is pre-configured for demonstration). c. Configure the 'Embeddings OpenAI1' node (part of the data ingestion flow): Enter your OpenAI API Key in the credentials section. This node is responsible for creating vector embeddings for your MITRE data. d. Configure the 'Embed JSON in Qdrant Collection' node: Set up your Qdrant API credentials (URL and API Key) and specify your desired Qdrant Collection name (e.g., 'mitre_attack_kb'). e. Execute this part of the workflow by clicking the 'Test workflow' button on the 'When clicking ‘Test workflow’' node. This will process your JSON data, create embeddings, and store them in your Qdrant collection.
4. Part 2: Automate Zendesk Ticket Enrichment (Continuous Operation) a. Locate the 'Get all Zendesk Tickets' node. This branch handles the automated enrichment of Zendesk tickets. b. Configure the 'Get all Zendesk Tickets' node: Set up your Zendesk API credentials. c. Configure the 'OpenAI Chat Model1' node (connected to 'AI Agent1'): Enter your OpenAI API Key. This LLM powers the analysis and response generation. d. Configure the 'Qdrant Vector Store query' node (connected to 'AI Agent1' workflow branch): Set up your Qdrant API credentials and ensure the Collection Name matches the one created in Part 1. e. Configure the 'Embeddings OpenAI' node (associated with the 'Qdrant Vector Store query' for Zendesk): Enter your OpenAI API Key. This is used for embedding the query derived from the Zendesk ticket content. f. Review and customize the systemMessage and text input in the 'AI Agent1' node to ensure it correctly processes your Zendesk ticket data and aligns with your operational needs. g. Configure the 'Update Zendesk with Mitre Data' node: Set up your Zendesk API credentials. Customize how the AI agent's output (e.g., summary, TTPs, remediation steps) updates Zendesk tickets, mapping to internal notes or custom fields as required. h. Activate this part of the workflow. Consider setting a schedule for the 'Get all Zendesk Tickets' node or triggering it based on new ticket events.
5. Part 3: Enable Interactive Chat with MITRE ATT&CK Data (On-Demand Querying) a. Locate the 'When chat message received' trigger node. This branch enables the interactive chat functionality. b. Configure the 'OpenAI Chat Model' node (connected to the main 'AI Agent'): Enter your OpenAI API Key. c. Configure the 'Query Qdrant Vector Store' node (connected to the main 'AI Agent' workflow branch): Set up your Qdrant API credentials and ensure the Collection Name matches the one used previously. d. Configure the 'Embeddings OpenAI2' node (associated with the 'Query Qdrant Vector Store' for chat): Enter your OpenAI API Key. e. Review and customize the systemMessage in the 'AI Agent' node to define its persona and instructions for chat interactions. f. Activate this trigger. You can then interact with the AI Agent via the n8n chat interface.
6. After configuration, ensure only the desired operational triggers (e.g., Zendesk polling, Chat trigger) are active for ongoing use.