Work public

soc-alert-triage

SIEM alert triage with parallel threat intel from VirusTotal, AbuseIPDB, Shodan, MITRE ATT&CK. 86 percent fewer tokens, 3.3x faster, 7 seconds end-to-end.

  • security
  • soc
  • siem
  • threat-intel
  • n8n
  • code-mode
Repo
github.com/mj-deving/soc-alert-triage
Published
2026-05-26

What it is

A security operations workflow that takes a SIEM alert and runs four threat-intel sources in parallel: VirusTotal, AbuseIPDB, Shodan, MITRE ATT&CK. Promise.allSettled inside a Code-Mode node replaces sequential agent tool calls. The token spend drops 86 percent and the wall clock drops 3.3x.

Weighted severity scoring with dynamic redistribution and IP-deduplication produces a priority assignment. Nine nodes total, seven seconds end-to-end on a representative payload.

Stack

n8n with Code-Mode, TypeScript, four threat intel APIs in parallel. The contribution is the architectural choice: parallel intel calls inside one code node, not sequential agent tool calls.