Automate Security Incident Triage with GPT-4o-mini and Gmail Notifications

What this workflow does Automatically triages inbound security findings (e.g., from AWS Security Hub via EventBridge → SNS → Webhook), classifies them with an LLM, generates a 3-step remediation plan, and emails a compact incident brief.

Pipeline: Webhook → Clean_Finding (normalize) → Classify (LLM) → Plan (LLM) → Gmail (email). You can substitute Microsoft Teams, Slack, etc.

Normalizes the incoming finding JSON (title, description, account, resource id/type, updated_at).

Uses an LLM to assign incident_type, severity (P0--P3), urgency, short_title, and why (concise rationale).

Produces a 3-step remediation plan with owner_hint and success_criteria---kept atomic and practical.

Sends a clean HTML email with all details (subject line includes short title, resource, and account).

Category: Security / Cloud / Incident Management
Time to set up: ~10--15 minutes
Difficulty: Beginner--Intermediate
Cost: Mostly free (n8n CE; OpenAI usage + Gmail/SMTP as used)

What you'll need An n8n instance reachable over HTTP (for the Webhook node).

OpenAI (or compatible) credentials set in n8n.

Gmail OAuth2 credentials (or swap Gmail node for SMTP).

A source that can POST a Security-Hub-style finding to your webhook (EventBridge/SNS, a SIEM, or curl).

Output (Email)

Subject: <short_title> - <resource_id> in <account_id>

Body: HTML summary with Type, Account, Urgency, Why, Next Actions (3 steps), Owner, Success criteria.