P
AI for Cybersecurity Analyst

Automation Recipe: AI-Assisted Alert Triage with n8n and Claude

Tools:n8n, Claude API
Time to build:2-3 hours
Difficulty:Intermediate-Advanced
Prerequisites:Comfortable using Claude for security analysis (Level 3) — see Level 3 guide: "Build an Incident Reporting Workflow with Claude Pro"

What This Builds

An automated workflow that intercepts low-to-medium severity SIEM alerts before they hit your queue, runs them through Claude for AI-assisted triage, and delivers a pre-analyzed ticket to your analysts. Instead of spending 20-30 minutes on each L1 alert only to dismiss it as a false positive, your analysts receive alerts that already include: a triage recommendation (true positive / likely false positive / needs investigation), the reasoning behind that recommendation, and suggested next investigation steps. Analysts confirm or override the recommendation rather than starting from scratch.

Prerequisites

  • An n8n instance (self-hosted is free at n8n.io, cloud starts at $20/mo)
  • Anthropic API key (get at console.anthropic.com — pay-per-use, typically $0.01-0.05 per triage)
  • Your SIEM's webhook/API capability (Splunk, Microsoft Sentinel, Elastic, or QRadar)
  • Your ticketing system's API (ServiceNow or Jira)
  • Basic comfort with connecting web services via APIs

The Concept

Think of this as building a junior analyst who never sleeps, never gets alert fatigue, and processes every alert the same way — by looking at all available context before making a triage decision. You set up the workflow once. After that, every qualifying alert gets an AI assessment before it appears in your queue. The human analyst makes the final call, but they're reviewing a recommendation with reasoning rather than starting every alert cold.

Build It Step by Step

Part 1: Set Up Your n8n Environment

Option A — Self-hosted (free, recommended for security teams)

  1. Install n8n on a dedicated server or VM inside your network: npm install n8n -g
  2. Run with: n8n start
  3. Access at http://localhost:5678
  4. For production, configure a domain and SSL

Option B — n8n Cloud Sign up at n8n.io/cloud. Start with the free trial to test your workflow, then evaluate the $20/mo Starter plan.

Security consideration: For a security team, self-hosting is preferred — alert data stays in your network and never leaves unless you make an API call to Claude. Review Claude's API data retention policy (anthropic.com/privacy) — input data is not used for training by default.

Part 2: Create Your Claude API Credential in n8n

  1. In n8n, go to Settings → Credentials → New Credential
  2. Search for "Anthropic" and select it
  3. Enter your Anthropic API key from console.anthropic.com
  4. Name it "Claude API" and save

Part 3: Build the Alert Intake Node

Create a new workflow in n8n. Start with the trigger node:

For Splunk alerts via webhook:

  1. Add a Webhook node as your trigger
  2. Copy the webhook URL that n8n generates
  3. In Splunk, create an alert action that sends a POST to that URL with alert details as JSON

Minimum data to capture in the alert payload:

Copy and paste this
{
  "alert_id": "ALERT-2026-03-20-001",
  "severity": "medium",
  "rule_name": "Brute Force Login Detected",
  "source_ip": "192.168.1.55",
  "destination_ip": "10.0.0.5",
  "user": "jsmith@company.com",
  "event_count": 12,
  "time_window": "5 minutes",
  "raw_events": "[paste key log fields]"
}

Part 4: Build the Claude Triage Node

Add an HTTP Request node after your trigger:

  • Method: POST
  • URL: https://api.anthropic.com/v1/messages
  • Authentication: Header Auth → x-api-key: {{your_api_key}} and anthropic-version: 2023-06-01

Set the request body to a JSON template. This is your triage prompt — the most important part. Copy and customize this:

Copy and paste this
{
  "model": "claude-haiku-20240307",
  "max_tokens": 500,
  "messages": [
    {
      "role": "user",
      "content": "You are a cybersecurity analyst performing alert triage. Analyze this security alert and provide a triage assessment.\n\nOrganization context: [Your industry, e.g., financial services company, 500 employees, running Azure AD, Microsoft Sentinel, CrowdStrike EDR]\n\nAlert details:\n- Rule: {{$json.rule_name}}\n- Severity: {{$json.severity}}\n- Source IP: {{$json.source_ip}}\n- User: {{$json.user}}\n- Event count: {{$json.event_count}} in {{$json.time_window}}\n- Raw events: {{$json.raw_events}}\n\nProvide your response in exactly this format:\nTRIAGE: [TRUE_POSITIVE / FALSE_POSITIVE / NEEDS_INVESTIGATION]\nCONFIDENCE: [HIGH / MEDIUM / LOW]\nREASONING: [2-3 sentences explaining your assessment]\nNEXT_STEPS: [2-3 specific investigation actions if NEEDS_INVESTIGATION or TRUE_POSITIVE]\nSEVERITY_RECOMMENDATION: [CRITICAL / HIGH / MEDIUM / LOW / DISMISS]"
    }
  ]
}

Part 5: Parse Claude's Response

Add a Code node (JavaScript) to extract the structured fields from Claude's text response:

Copy and paste this
const response = $input.first().json.content[0].text;

const triage = response.match(/TRIAGE: (.+)/)?.[1] || 'UNKNOWN';
const confidence = response.match(/CONFIDENCE: (.+)/)?.[1] || 'UNKNOWN';
const reasoning = response.match(/REASONING: (.+)/)?.[1] || '';
const nextSteps = response.match(/NEXT_STEPS: (.+)/)?.[1] || '';
const severity = response.match(/SEVERITY_RECOMMENDATION: (.+)/)?.[1] || 'MEDIUM';

return [{
  json: {
    triage,
    confidence,
    reasoning,
    nextSteps,
    severity,
    alertId: $('Webhook').first().json.alert_id
  }
}];

Part 6: Route Based on Triage Result

Add an IF node to route alerts:

  • Branch 1: triage == 'FALSE_POSITIVE' AND confidence == 'HIGH' → Auto-close ticket with Claude's reasoning as a note
  • Branch 2: Everything else → Create investigation ticket with Claude's analysis

Part 7: Create Enriched Tickets

For the investigation branch, add your ticketing system node (ServiceNow or Jira):

Ticket fields to populate:

  • Summary: [AI-TRIAGED] {{rule_name}} - {{triage}} ({{confidence}} confidence)
  • Description:
    Copy and paste this
    === AI TRIAGE ASSESSMENT ===
Result: {{triage}}
Confidence: {{confidence}}

AI Reasoning: {{reasoning}}

Suggested Next Steps: {{nextSteps}}

=== ORIGINAL ALERT ===
Rule: {{rule_name}}
Source: {{source_ip}}
User: {{user}}
Event Count: {{event_count}} in {{time_window}}
  • Priority: Map Claude's severity recommendation to your ticket priority levels

Real Example: Brute Force Alert Triage

Setup: Your Sentinel workspace triggers alerts for "10+ failed logins in 5 minutes." This rule fires 40 times per day, 80% false positives from your password reset service.

Input to workflow:

Copy and paste this
{
  "rule_name": "Brute Force Login Detected",
  "source_ip": "10.10.5.20",
  "user": "service_account_passwordreset@company.com",
  "event_count": 15,
  "time_window": "5 minutes",
  "severity": "medium"
}

Claude's output:

Copy and paste this
TRIAGE: FALSE_POSITIVE
CONFIDENCE: HIGH
REASONING: The source IP 10.10.5.20 is a known internal service address, and the triggering account is a service account used for password resets. Batch password reset operations frequently generate authentication events at this volume. No external access or privilege escalation indicators are present.
NEXT_STEPS: N/A - recommended auto-dismiss
SEVERITY_RECOMMENDATION: DISMISS

What happens: The workflow auto-closes the ticket with Claude's reasoning attached. Your analyst's queue doesn't see it. They spend zero time on this false positive.

Cost: ~2,000 tokens = approximately $0.001 (less than 1/10 of a cent) per alert processed.

Time saved: If this alert fires 30 times per day with 80% false positives, that's 24 auto-dismissed alerts × 20 min each = 480 analyst-minutes saved per day.

What to Do When It Breaks

  • Claude returns unstructured text → Your response format may have been overridden. Add "You MUST follow the exact format specified. Do not deviate from the format." to your prompt.
  • High false positive auto-dismiss rate → Raise the confidence threshold. Only auto-dismiss when CONFIDENCE is HIGH, not MEDIUM. Review dismissed alerts weekly for the first month.
  • Webhook isn't triggering → Check your SIEM's webhook action configuration. Test with a manual curl POST to the n8n webhook URL: curl -X POST [webhook_url] -H "Content-Type: application/json" -d '{"test": true}'
  • API rate limiting → Add a Wait node after the Claude call to limit to 5 requests per second. Anthropic's API has rate limits that vary by plan.

Variations

  • Simpler version: Skip the auto-close routing. Use n8n only to add Claude's triage analysis as a comment on existing tickets — no auto-dismissal, just enrichment.
  • Extended version: Add a VirusTotal API lookup node between the Webhook and Claude nodes to enrich IP reputation data before Claude's analysis. Claude then gets reputation context, improving triage accuracy.

What to Do Next

  • This week: Build the workflow in a test environment with sample alert data before connecting to production SIEM
  • This month: Review auto-dismissed alerts weekly for the first month to tune confidence thresholds — adjust as needed
  • Advanced: Add a feedback loop — when analysts override Claude's recommendation, log the override to a spreadsheet. Use that data to refine your triage prompt.

Advanced guide for cybersecurity analyst professionals. These techniques use more sophisticated AI features that may require paid subscriptions.