带Slack的简单日志异常检测器
中级
这是一个SecOps领域的自动化工作流,包含 7 个节点。主要使用 If、Code、Slack、HttpRequest、ScheduleTrigger 等节点。 监控安全日志中的失败登录尝试并通过Slack发送警报
前置要求
- •Slack Bot Token 或 Webhook URL
- •可能需要目标 API 的认证凭证
分类
工作流预览
可视化展示节点连接关系,支持缩放和平移
导出工作流
复制以下 JSON 配置到 n8n 导入,即可使用此工作流
{
"id": "B8b52ViroIFRPWW9",
"meta": {
"instanceId": "a287613f1596da776459594685fbf4e2b4a12124f80ab8c8772f5e37bff103ae",
"templateCredsSetupCompleted": true
},
"name": "带 Slack 的简单日志异常检测器",
"tags": [],
"nodes": [
{
"id": "f094a345-e855-4b5d-ac8d-632391f46122",
"name": "计划触发器",
"type": "n8n-nodes-base.scheduleTrigger",
"position": [
-224,
224
],
"parameters": {
"rule": {
"interval": [
{
"field": "minutes",
"minutesInterval": 1
}
]
}
},
"typeVersion": 1.2
},
{
"id": "7f5f4655-952a-4831-aa3c-b11cda85f9bc",
"name": "获取日志",
"type": "n8n-nodes-base.httpRequest",
"position": [
0,
224
],
"parameters": {
"url": "https://api.yourlogserver.com/logs/recent?limit=100",
"options": {}
},
"typeVersion": 4.2
},
{
"id": "faeaf2cb-3cc0-48a2-be1c-48348303eeb6",
"name": "统计登录失败次数",
"type": "n8n-nodes-base.code",
"position": [
224,
224
],
"parameters": {
"jsCode": "const failedLogins = $json.data.filter(log => log.event === 'login_failure');\nconst uniqueIps = [...new Set(failedLogins.map(log => log.ip))];\nconst loginFailureCount = failedLogins.length;\n\nreturn [{\n json: {\n loginFailureCount,\n uniqueIps,\n firstFailedAttemptTime: failedLogins[0]?.timestamp,\n lastFailedAttemptTime: failedLogins[loginFailureCount - 1]?.timestamp,\n summary: `Detected ${loginFailureCount} failed login attempts from ${uniqueIps.length} unique IP(s): ${uniqueIps.join(', ')}`\n }\n}];"
},
"typeVersion": 2
},
{
"id": "32686dc4-17d9-4d71-adb8-684558a43e7d",
"name": "登录失败次数 > 阈值?",
"type": "n8n-nodes-base.if",
"position": [
448,
224
],
"parameters": {
"options": {},
"conditions": {
"options": {
"version": 2,
"leftValue": "",
"caseSensitive": true,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"id": "af403d1c-04f9-4b8a-9575-f39b7c14aa2a",
"operator": {
"type": "number",
"operation": "gt"
},
"leftValue": "={{ $json.loginFailureCount }}",
"rightValue": 5
}
]
}
},
"typeVersion": 2.2
},
{
"id": "7277f88b-4510-4e40-a41d-1ecf1cff44f1",
"name": "发送异常警报",
"type": "n8n-nodes-base.slack",
"position": [
672,
144
],
"webhookId": "dffde98f-80a8-4153-b925-af9603c73246",
"parameters": {
"text": "=🚨 *SECURITY ALERT: High Volume of Failed Logins Detected!* 🚨\\nSummary: *{{ $json.summary }}*\\nFirst attempt: *{{ $json.firstFailedAttemptTime }}*\\nLast attempt: *{{ $json.lastFailedAttemptTime }}",
"user": {
"__rl": true,
"mode": "id",
"value": "yourid12"
},
"select": "user",
"otherOptions": {}
},
"credentials": {
"slackApi": {
"id": "AFKF0YsguyhsagR0",
"name": "temp"
}
},
"typeVersion": 2.3
},
{
"id": "ca2fdc19-9814-4b1e-8534-a4919c3a7cc3",
"name": "便签",
"type": "n8n-nodes-base.stickyNote",
"position": [
-320,
112
],
"parameters": {
"color": 3,
"width": 1232,
"height": 304,
"content": "## 流程"
},
"typeVersion": 1
},
{
"id": "85d53433-3994-4893-8f6b-680face132b0",
"name": "便签1",
"type": "n8n-nodes-base.stickyNote",
"position": [
-320,
464
],
"parameters": {
"color": 5,
"width": 1232,
"height": 1264,
"content": "# 🕵️ 简单日志异常检测器 🧠"
},
"typeVersion": 1
}
],
"active": false,
"pinData": {},
"settings": {
"executionOrder": "v1"
},
"versionId": "f0ceb14b-4265-4c28-83fd-7c92bf58af24",
"connections": {
"Fetch Logs": {
"main": [
[
{
"node": "Count Failed Logins",
"type": "main",
"index": 0
}
]
]
},
"Schedule Trigger": {
"main": [
[
{
"node": "Fetch Logs",
"type": "main",
"index": 0
}
]
]
},
"Count Failed Logins": {
"main": [
[
{
"node": "Failed Logins > Threshold?",
"type": "main",
"index": 0
}
]
]
},
"Failed Logins > Threshold?": {
"main": [
[
{
"node": "Send Anomaly Alert",
"type": "main",
"index": 0
}
]
]
}
}
}常见问题
如何使用这个工作流?
复制上方的 JSON 配置代码,在您的 n8n 实例中创建新工作流并选择「从 JSON 导入」,粘贴配置后根据需要修改凭证设置即可。
这个工作流适合什么场景?
这是一个中级难度的工作流,适用于SecOps等场景。适合有一定经验的用户,包含 6-15 个节点的中等复杂度工作流
需要付费吗?
本工作流完全免费,您可以直接导入使用。但请注意,工作流中使用的第三方服务(如 OpenAI API)可能需要您自行付费。
相关工作流推荐
基于Slack的自动化域名/IP黑名单监控
使用Slack警报监控AbuseIPDB黑名单中的域名和IP
If
Code
Slack
+3
7 节点Marth
SecOps
使用HIBP API的自动化数据泄露监控
使用HIBP API监控邮箱数据泄露并发送Slack警报
If
Code
Slack
+3
7 节点Marth
SecOps
SSL/TLS证书到期监控与Slack告警
带Slack告警的SSL/TLS证书到期监控
If
Code
Slack
+3
7 节点Marth
SecOps
简单网络安全品牌/漏洞提及监控器
监控X平台网络安全品牌提及并发送警报到Slack
If
Code
Slack
+4
8 节点Marth
SecOps
使用 DocuSign 和 Trello 的自动化候选人管理与反馈系统
使用 Slack、DocuSign、Trello 和 Gmail 通知的自动化招聘流程
If
Code
Wait
+9
29 节点Marth
HR
带RSS源的自动化漏洞新闻摘要
使用RSS源和Slack通知监控CISA关键漏洞警报
If
Code
Slack
+3
7 节点Marth
SecOps
工作流信息
难度等级
中级
节点数量7
分类1
节点类型6
作者
Marth
@marthSimplifying Business with Smart Automation. I create and share user-friendly, highly efficient n8n workflow templates for SMEs, focusing on digital marketing, sales, and operational excellence. Get ready to automate, innovate, and elevate your business. Connect me on Linkedin for custom solutions.
外部链接
在 n8n.io 上查看 →
分享此工作流