DEVELOPMENT OF AN AGENT FOR NOTIFICATION ANALYSIS BASED ON ARTIFICIAL INTELLIGENCE USING N8N AND ELASTIC SECURITY SOFTWARE
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1031Keywords:
SOC automation; n8n; large language models; Elastic Security; incident orchestration; cybersecurity; SIEM; LLM agent.Abstract
This article presents a research-driven approach to enhancing the efficiency of incident response within Security Operations Centers by implementing an automated event analysis system that integrates the n8n platform and large language models. This approach addresses modern cybersecurity challenges, including the continuous increase in the number of security alerts, the growing complexity of IT infrastructures, limited human resources, and the declining effectiveness of manual analysis. The developed architecture incorporates the Elastic Security SIEM system as the primary event source, n8n as the orchestration platform for workflow management, LLM-based agents for natural-language interpretation of incidents, and external enrichment services such as AbuseIPDB and VirusTotal. The core system functions include automated collection, normalization, and enrichment of security events, risk scoring, incident type classification, generation of concise analytical summaries in the 5W format (Who, What, When, Where, Why), and automatic creation of relevant response actions. To validate the effectiveness of the proposed approach, a comprehensive experimental study was conducted, encompassing several stages: simulation of real SOC scenarios, generation of representative security incidents, execution of the automated analysis workflow, and comparison of results with the performance of Tier-1 SOC analysts. Particular attention was paid to assessing the stability of the LLM agent under varying event formats, different log sources, and inconsistent data quality. Furthermore, the system’s behavior was examined in scenarios involving ambiguous or partially missing incident attributes, as well as its resilience to noisy or incomplete data. The analysis demonstrated that the integrated approach not only automates routine tasks but also ensures high consistency of decisions, minimizes subjective variability inherent to manual analysis, and supports the production of unified and repeatable incident verdicts. Additional evaluation focused on the quality of the generated analytical summaries, the accuracy of contextual interpretation, the model’s ability to identify key entities and causal factors, and the relevance of recommended response actions. The study also verified the system’s compatibility with existing SOC infrastructure and its ability to scale under increased alert volumes without significant performance degradation. The obtained results confirm that the proposed system not only enhances the speed and quality of incident response but also lays the foundation for transitioning from a reactive to a proactive SOC model, where automated tools take over a substantial portion of the cognitive workload. Due to the modularity of n8n and the flexibility of LLM agents, the system can adapt to new threat types, expand functionality without significant cost, and integrate with various corporate services. Thus, it provides the technological basis for further adoption of intelligent automation in cybersecurity practice and supports the development of next-generation SOC environments.
Downloads
References
n8n.io. (n.d.). GitHub - n8n-io/n8n: Fair-code workflow automation platform with native AI capabilities. GitHub. Retrieved from https://github.com/n8n-io/n8n
Reddy, A. R. P. (2025). Zero Trust Architecture: An AI-driven framework for modern cybersecurity challenges. FMDB Transactions on Sustainable Intelligent Networks, 2(1), 10–21. https://doi.org/10.69888/ftsin.2025.000366
Elastic. (n.d.). Elastic Security overview. Retrieved from https://www.elastic.co/guide/en/security/current/index.html
IBM. (n.d.). What is SOAR (security orchestration, automation and response)? Retrieved from https://www.ibm.com/think/topics/security-orchestration-automation-response
Matseniuk, Y., & Partyka, A. (2024). The concept of automated compliance verification as the foundation of a fundamental cloud security model. Computer Systems and Network, 6(1), 108–123. https://doi.org/10.23939/csn2024.01.108
Cloud Security Alliance. (2025). Agentic AI Threat Modeling Framework: MAESTRO. Retrieved from https://cloudsecurityalliance.org/blog/2025/02/06/agentic-ai-threat-modeling-framework-maestro
Khoma, V., Abibulaiev, A., Piskozub, A., & Kret, T. (2024). Comprehensive approach for developing an enterprise cloud infrastructure. In CEUR Workshop Proceedings (Vol. 3654, pp. 201–215). Retrieved from https://ceur-ws.org/Vol-3654/paper17.pdf
Vakhula, O., Kurii, Y., Opirskyi, I., & Vitalii, S. (2024). Security-as-code concept for fulfilling ISO/IEC 27001:2022 requirements. In CEUR Workshop Proceedings (Vol. 3654, pp. 59–72). Retrieved from https://ceur-ws.org/Vol-3654/paper6.pdf
International Organization for Standardization. (2022). ISO/IEC 27001:2022. Retrieved from https://www.iso.org/standard/27001
Deineka, O., Harasymchuk, O., Partyka, A., Obshta, A., & Korshun, N. (2024). Designing data classification and secure store policy according to SOC 2 Type II. In 11CEUR Workshop Proceedings (Vol. 3654). Retrieved from https://ceur-ws.org/Vol-3654/paper7.pdf
Volotovskyi, O., Banakh, R., Piskozub, A., & Brzhevska, Z. (2024). Automated security assessment of Amazon Web Services accounts using CIS benchmark and Python 3. In CEUR Workshop Proceedings (Vol. 3826). Retrieved from https://ceur-ws.org/Vol-3826/short29.pdf
Cloud Security Alliance. (n.d.). Security Guidance for Critical Areas of Focus in Cloud Computing. Retrieved from https://cloudsecurityalliance.org/artifacts/security-guidance-v4
Banakh, R., Piskozub, A., & Stefinko, Y. (2016). External elements of honeypot for wireless network. In Modern Problems of Radio Engineering, Telecommunications and Computer Science (pp. 480–482). https://doi.org/10.1109/TCSET.2016.7452093
Siam, A., Alazab, M., Awajan, A., Hasan, M. R., Obeidat, A., & Faruqui, N. (2025). IP Safeguard — An AI-driven malicious IP detection framework. IEEE Access, 1–13. https://doi.org/10.1109/ACCESS.2025.3569289
Tykholaz, D., Banakh, R., Mychuda, L., Piskozub, A., & Kyrychok, R. (2024). Incident response with AWS detective controls. In CEUR Workshop Proceedings (Vol. 3826, pp. 190–197).
Center for Internet Security. (n.d.). CIS Amazon Web Services Benchmarks. Retrieved from https://www.cisecurity.org/benchmark/amazon_web_services
Stefinko, Y., Piskozub, A., & Banakh, R. (2016). Manual and automated penetration testing: Benefits and drawbacks; modern tendency. In Modern Problems of Radio Engineering, Telecommunications and Computer Science (pp. 488–491). https://doi.org/10.1109/TCSET.2016.7452095
Microsoft. (n.d.). Microsoft Sentinel Documentation. Retrieved from https://learn.microsoft.com/en-us/azure/sentinel/
Dai, R., Lv, P., Gui, Y., Lv, Q., Qiao, Y., Wang, Y., Sun, D., Huang, W., Li, Y., & Wang, X. (2025). An automated attack investigation approach leveraging threat-knowledge-augmented large language models. arXiv. https://arxiv.org/abs/2509.01271
OWASP Foundation. (n.d.). OWASP Top 10 Security Risks. Retrieved from https://owasp.org/www-project-top-ten/
TNO. (2017). Human Factors in Cyber Incident Response: Needs, collaboration and The Reporter. Retrieved from https://publications.tno.nl/publication/34626339/5qnMkv/TNO-2017-R11575.pdf
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Олександр Волотовський, Роман Банах, Андріян Піскозуб
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
