{ "name": "Falco Incident Response", "nodes": [ { "parameters": { "httpMethod": "POST", "path": "falco-triage", "options": {} }, "type": "n8n-nodes-base.webhook", "typeVersion": 2.1, "position": [ 0, -224 ], "id": "67e376e0-87c4-4294-a5d4-1b9198977e20", "name": "Triage", "webhookId": "0589a9e4-0566-483a-8d45-6f427a50a0c7" }, { "parameters": { "httpMethod": "POST", "path": "falco-forensics", "responseMode": "lastNode", "options": {} }, "type": "n8n-nodes-base.webhook", "typeVersion": 2.1, "position": [ 0, -16 ], "id": "744909b3-5d9d-421f-b2a9-d12bec32757b", "name": "Forensic", "webhookId": "b3c86d25-2fc1-440e-b69c-15f82ed59532" }, { "parameters": { "httpMethod": "POST", "path": "falco-containment", "options": {} }, "type": "n8n-nodes-base.webhook", "typeVersion": 2.1, "position": [ 0, 192 ], "id": "6bf04263-f4c7-4499-a46b-2bcaafd6e858", "name": "Containtment", "webhookId": "d8caeb6c-5b38-4711-9aa1-b04408c6a1c4" }, { "parameters": { "jsCode": "// Obtener datos del webhook\nconst data = $json.body;\n\n// Generar timestamp para el nuevo secreto\nconst timestamp = Date.now();\n\nreturn {\n // Datos del incidente\n namespace: data.k8s_namespace,\n pod: data.k8s_pod,\n alert_id: data.alert_id,\n rule_id: data.rule_id,\n rule_level: data.rule_level,\n rule_description: data.rule_description,\n command: data.command,\n file_accessed: data.file_accessed,\n mitre_id: data.mitre_id,\n container_id: data.container_id,\n \n // Nuevos secretos generados\n new_password: `RotatedPass${timestamp}!`,\n new_api_key: `sk-prod-rotated-${timestamp}`,\n new_version: Math.floor(timestamp / 1000),\n rotation_timestamp: new Date().toISOString(),\n \n // Para debugging\n original_alert: data\n};" }, "type": "n8n-nodes-base.code", "typeVersion": 2, "position": [ 208, 192 ], "id": "234210eb-1274-4cee-92f7-001b50f4753c", "name": "Code" }, { "parameters": { "method": "POST", "url": "http://vault.automation.svc.cluster.local:8200/v1/secret/data/production/db-credentials", "sendHeaders": true, "headerParameters": { "parameters": [ { "name": "X-Vault-Token", "value": "root" }, { "name": "Content-Type", "value": "application/json" } ] }, "sendBody": true, "specifyBody": "json", "jsonBody": "={\n \"data\": {\n \"username\": \"admin\",\n \"password\": \"{{ $json.new_password }}\",\n \"api_key\": \"{{ $json.new_api_key }}\",\n \"db_host\": \"postgres.production.svc.cluster.local\",\n \"db_port\": \"5432\",\n \"rotated_at\": \"{{ $json.rotation_timestamp }}\",\n \"reason\": \"Security incident - credentials compromised\"\n }\n}", "options": {} }, "type": "n8n-nodes-base.httpRequest", "typeVersion": 4.3, "position": [ 416, 192 ], "id": "a9a304d8-480c-401f-9c74-083af4f37b57", "name": "HTTP Request Vault Rotate" }, { "parameters": { "method": "DELETE", "url": "=https://kubernetes.default.svc.cluster.local/api/v1/namespaces/{{ $('Code').item.json.namespace }}/pods/{{ $('Code').item.json.pod }}?gracePeriodSeconds=0\n\n", "authentication": "genericCredentialType", "genericAuthType": "httpHeaderAuth", "sendHeaders": true, "headerParameters": { "parameters": [ { "name": "Content-Type", "value": "application/json" } ] }, "options": { "allowUnauthorizedCerts": true } }, "type": "n8n-nodes-base.httpRequest", "typeVersion": 4.3, "position": [ 624, 192 ], "id": "a97f7efd-bdd8-4603-bdd8-ce35c335d0eb", "name": "HTTP Request Kubernetes Delete POD", "credentials": { "httpBearerAuth": { "id": "C31I5VIogMcGfaDq", "name": "Bearer Auth account" }, "httpHeaderAuth": { "id": "winKuwMimLYYGBVg", "name": "Header Auth account" } } }, { "parameters": { "select": "channel", "channelId": { "__rl": true, "value": "C09RAN56Y92", "mode": "list", "cachedResultName": "devsecops" }, "text": "=🔍 *FORENSICS - Evidencia Capturada*\n\n*Namespace:* {{ $json.body.k8s_namespace }}\n*Pod:* {{ $json.body.k8s_pod }}\n*Archivo de evidencia:* {{ $json.body.evidence_file }}\n\n*Comando sospechoso:* {{ $json.body.command }}\n*Archivo accedido:* {{ $json.body.file_accessed }}\n\n📊 Logs y metadata del pod han sido guardados en Wazuh.\n📁 Archivo: {{ $json.body.evidence_file }}\n\n⚠️ Revisar evidencia para análisis forense.", "otherOptions": {} }, "type": "n8n-nodes-base.slack", "typeVersion": 2.3, "position": [ 208, -16 ], "id": "c0478fa7-8102-4258-9f59-f817be0c2286", "name": "Message Collecting evidence", "webhookId": "66f76208-bf2f-4f14-a0c0-d063eb2f9e6a", "credentials": { "slackApi": { "id": "zcwR6izlX80HfizM", "name": "Slack account" } } }, { "parameters": { "select": "channel", "channelId": { "__rl": true, "value": "C09RAN56Y92", "mode": "list", "cachedResultName": "devsecops" }, "text": "=🚨 *ALERTA CRÍTICA DE SEGURIDAD K8S*\n\n*Namespace:* {{ $json.body.k8s_namespace }}\n*Pod:* {{ $json.body.k8s_pod }}\n*Archivo Accedido:* {{ $json.body.file_accessed }}\n*Comando Ejecutado:* {{ $json.body.command }}\n*Usuario:* {{ $json.body.user }}\n\n*Regla Falco:* {{ $json.body.falco_rule }}\n*Severidad:* Level {{ $json.body.rule_level }}\n*Container ID:* {{ $json.body.container_id }}\n\n*MITRE ATT&CK:* {{ $json.body.mitre_id }}\n\n*Timestamp:* {{ $json.body.timestamp }}\n\n⚙️ Iniciando respuesta automática...", "otherOptions": {} }, "type": "n8n-nodes-base.slack", "typeVersion": 2.3, "position": [ 208, -224 ], "id": "59303030-8643-4cf1-9831-abea5ea015fb", "name": "Message Compromise", "webhookId": "ea12c2fa-e364-4b86-83ca-07c02637ab5d", "credentials": { "slackApi": { "id": "zcwR6izlX80HfizM", "name": "Slack account" } } }, { "parameters": { "select": "channel", "channelId": { "__rl": true, "value": "C09RAN56Y92", "mode": "list", "cachedResultName": "devsecops" }, "text": "=⚠️ *CONTAINMENT - Respuesta Automática Ejecutada*\n\n*📍 Pod Comprometido:*\n Namespace: {{ $('Containtment').item.json.body.k8s_namespace }}\n Pod: {{ $('Containtment').item.json.body.k8s_pod }}\n Container: {{ $('Containtment').item.json.body.container_id }}\n\n*🔐 Vault - Rotación de Secretos:*\n ✅ Status: SUCCESS\n Nueva password: {{ $('Code').item.json.new_password }}\n Nueva API key: {{ $('Code').item.json.new_api_key }}\n Versión Vault: {{ $('Code').item.json.new_version }}\n Rotado: {{ $('Code').item.json.rotation_timestamp }}\n\n*🔴 Acción de Containment:*\n ✅ Secreto rotado en Vault\n ✅ Pod eliminado vía Kubernetes API\n ⏳ Deployment recreará el pod automáticamente\n\n*📊 Detalles del Incidente:*\n Regla: {{ $('Containtment').item.json.body.rule_id }} (Level {{ $('Containtment').item.json.body.rule_level }})\n Descripción: {{ $('Containtment').item.json.body.rule_description }}\n Comando: {{ $('Containtment').item.json.body.command }}\n Archivo: {{ $('Containtment').item.json.body.file_accessed }}\n Usuario: {{ $('Containtment').item.json.body.user }}\n MITRE ATT&CK: {{ $('Containtment').item.json.body.mitre_id }}\n\n*🔒 Resultado:*\n✅ Credenciales antiguas invalidadas\n✅ Nuevo pod se levantará con credenciales frescas\n✅ Evidencia forense capturada en Wazuh\n\n*Timestamp:* {{ $('Containtment').item.json.body.timestamp }}", "otherOptions": {} }, "type": "n8n-nodes-base.slack", "typeVersion": 2.3, "position": [ 832, 192 ], "id": "503da457-a454-4a78-afd6-de3809cec063", "name": "Mensaje Status Incident", "webhookId": "4a47dd7a-87dc-43a8-a83a-f9e119e80d81", "credentials": { "slackApi": { "id": "zcwR6izlX80HfizM", "name": "Slack account" } } } ], "pinData": {}, "connections": { "Triage": { "main": [ [ { "node": "Message Compromise", "type": "main", "index": 0 } ] ] }, "Forensic": { "main": [ [ { "node": "Message Collecting evidence", "type": "main", "index": 0 } ] ] }, "Containtment": { "main": [ [ { "node": "Code", "type": "main", "index": 0 } ] ] }, "Code": { "main": [ [ { "node": "HTTP Request Vault Rotate", "type": "main", "index": 0 } ] ] }, "HTTP Request Vault Rotate": { "main": [ [ { "node": "HTTP Request Kubernetes Delete POD", "type": "main", "index": 0 } ] ] }, "HTTP Request Kubernetes Delete POD": { "main": [ [ { "node": "Mensaje Status Incident", "type": "main", "index": 0 } ] ] } }, "active": true, "settings": { "executionOrder": "v1" }, "versionId": "1bfec02a-c3f5-441a-85c8-22c84b97a49c", "meta": { "templateCredsSetupCompleted": true, "instanceId": "2107ba24f0fdffb932932ef5ad0ab1a7176003c2d1fd88fa11c24ae832e9a919" }, "id": "nuP6BCdzF4ktkISH", "tags": [] }