Automated Incident Response & Phishing Detection System - Article in progress (documentation coming soon)

🏷️ Tech Stack: TheHive • Cortex • n8n • Python • DeepSeek LLM • VirusTotal • Gmail API • Discord

Academic Project - Bachelor’s Networks & Telecommunications (Cybersecurity) | 2025

🚀 TL;DR: Automated SOC workflow reducing phishing analysis from 30min to <2min using TheHive, Cortex, n8n orchestration, and local AI. Full technical implementation with enterprise-grade tools and parallel processing architecture.

🎯 Project Overview

Team: Matthieu PIGNOLET, Farhan DITTOO, Neil MAHADALI, Jacob DUFOSSÉ
Duration: 3 weeks intensive project
Context: Advanced Cybersecurity module (R6.CYBER 04)

Phishing attacks represent one of the most common cybersecurity threats, exploiting social engineering to deceive users and steal sensitive information. Manual email analysis consumes valuable SOC analyst time and introduces human error into critical security decisions.

Our mission was to design and implement a professional-grade automated incident response workflow that transforms manual phishing detection into an intelligent, scalable, and efficient process using industry-standard security orchestration tools.

🚀 Business Challenge & Innovation

The SOC Analyst Bottleneck

Security Operations Centers face a critical challenge: analysts spend hours manually investigating suspicious emails, analyzing attachments, and documenting incidents. This manual approach limits response speed and reduces the number of threats that can be processed daily.

Traditional Process Limitations:

• 30+ minutes per email investigation
• Inconsistent analysis quality due to fatigue
• Limited scalability during attack campaigns
• Manual documentation prone to errors

Our Automated Solution

We developed an intelligent security orchestration system that reduces response time from 30+ minutes to under 2 minutes while providing more comprehensive analysis than manual investigation. The system combines:

• Parallel Analysis: Simultaneous examination of email content and attachments
• AI-Powered Detection: Advanced social engineering pattern recognition
• Automated Documentation: Complete incident trails in TheHive
• Real-time Response: Immediate containment and notification

🏗️ Technical Architecture Overview

Our solution operates as an intelligent security orchestration platform where specialized tools work together to provide comprehensive threat analysis. The architecture follows enterprise SOC best practices while leveraging cutting-edge AI capabilities.

Core Technology Integration

📸 INSERT: High-level architecture diagram showing tool integration

• TheHive - Central incident management and case tracking
• Cortex - Automated threat intelligence and IOC analysis
• n8n - Workflow orchestration and system integration (deployed locally)
• VirusTotal - Malware detection for attachments
• DeepSeek LLM - Local AI for social engineering detection
• Gmail API - Email source integration
• Discord - Real-time SOC team notifications

Architecture Philosophy

The system treats each security tool as a specialized analyst with specific expertise:

• n8n acts as the case coordinator, managing information flow
• Cortex serves as the malware specialist for attachment analysis
• DeepSeek LLM functions as the social engineering expert
• TheHive provides case management and audit trails
• Discord ensures immediate team communication

📸 INSERT: Component interaction diagram

🔧 Infrastructure Setup & Deployment

System Requirements

Hardware Specifications:

• Memory: Minimum 16GB RAM per machine for optimal performance
• Storage: Significant space for Elasticsearch and Cassandra databases
• CPU: Multi-core processors for parallel analysis workloads

Software Stack:

• Operating System: Debian 11
• Container Platform: Docker for n8n deployment
• Database Systems: Elasticsearch, Cassandra, MariaDB

TheHive Installation & Configuration

📸 INSERT: TheHive installation terminal output

# Automated installation script
sudo apt update && sudo apt upgrade -y
wget -q -O /tmp/install.sh https://archives.strangebee.com/scripts/install.sh
sudo -v ; bash /tmp/install.sh

# Permission configuration
sudo chown -R thehive:thehive /etc/thehive

# Service management
sudo systemctl start thehive
sudo systemctl enable thehive
sudo systemctl status thehive

📸 INSERT: TheHive web interface login screen

Initial Configuration:

• Default credentials: admin@thehive.local / secret
• Multi-user setup required for full functionality
• Integration with Cortex for analysis capabilities

Cortex Deployment

📸 INSERT: Cortex installation and status verification

Cortex serves as our analysis engine, providing automated threat intelligence through various analyzers including VirusTotal integration.

Key Configuration Steps:

• Service deployment and verification
• VirusTotal API key integration
• Analyzer configuration and testing
• Connection establishment with TheHive

📸 INSERT: Cortex web interface with analyzer configuration

Critical Integration Requirements

Important Discovery: Standard admin accounts lack certain operational privileges. Additional user accounts with specific roles (analyst, organization) must be created to unlock full functionality including case creation and analyzer management.

📸 INSERT: User creation interface in both TheHive and Cortex

🔗 N8N Workflow Orchestration Engine

N8N: The Heart of Our Automation

N8N serves as our intelligent workflow orchestrator, transforming complex security processes into visual, manageable automation flows. Unlike traditional scripting approaches, n8n provides an intuitive interface for designing sophisticated security workflows.

N8N Installation & Setup

📸 INSERT: N8N Docker installation terminal

# Docker deployment for local n8n instance
docker volume create n8n_data
docker run -it --rm --name n8n -p 5678:5678 -v n8n_data:/home/node/.n8n docker.n8n.io/n8nio/n8n

📸 INSERT: N8N welcome interface showing intuitive design

Visual Workflow Design Philosophy

N8N transforms security automation from code to visual logic, enabling:

• Drag-and-drop workflow creation
• Real-time data visualization between components
• Dynamic data mapping from previous workflow steps
• Visual debugging and testing capabilities

📸 INSERT: N8N workflow editor showing visual node connections

Dynamic Data Flow Management

One of n8n’s most powerful features is its ability to dynamically pass data between workflow components. Each module automatically exposes its output data for use in subsequent steps.

📸 INSERT: N8N data schema view showing available email fields

Data Format Options:

• Table View: Structured data presentation
• Schema View: Field structure and types
• JSON View: Raw data format for advanced manipulation

📸 INSERT: N8N module configuration showing dynamic field mapping

Module Configuration Examples

Gmail Trigger Configuration:

• Event: Message Received
• Polling: Every minute for real-time detection
• Filters: Configurable email criteria
• Output: Complete email structure with headers, body, and attachments

📸 INSERT: Gmail trigger configuration interface

LLM AI Analysis Module: The system dynamically constructs analysis prompts using email data:

Input Template:
de: {{ $json.from.value[0].address }}
vers: {{ $json.to.value[0].address }}
objet: {{ $json.subject }}
{{ $('Gmail Trigger').item.json.text.slice(0,10000) }}

📸 INSERT: LLM module configuration with dynamic field mapping

Cortex Integration Module:

• Analyzer Selection: VirusTotal for attachment scanning
• Dynamic File Input: Automatic attachment processing
• Result Processing: Threat score aggregation

📸 INSERT: Cortex module configuration interface

🔄 Complete Workflow Implementation

Workflow Architecture Overview

Our complete workflow implements a parallel processing architecture that simultaneously analyzes different aspects of incoming emails while maintaining efficient resource utilization.

📸 INSERT: Complete n8n workflow diagram showing all connected components

Phase 1: Initial Processing & Data Separation

📸 INSERT: Initial processing section of workflow

Gmail Trigger → Content Analysis → Data Separation

The workflow begins with email detection and immediately separates content types for specialized analysis:

Email Reception:

• Real-time monitoring via Gmail API
• Complete message structure capture
• Metadata extraction and formatting

Content Filtering Script:

let results = [];
let extensions = [
  "exe", "zip", "pdf", "doc", "docx",
  null, undefined
];

for (item of items) {
  for (key of Object.keys(item.binary || [])) {
    if (!extensions.includes(item.binary[key].fileExtension)) {
      results.push({
        json: {},
        binary: { data: item.binary[key] }
      });
    }
  }
}

📸 INSERT: Data filtering script configuration in n8n

Phase 2: Parallel Analysis Branches

📸 INSERT: Parallel processing branches diagram

Branch A: Attachment Analysis via Cortex

📸 INSERT: Cortex analysis branch workflow

Process Flow:

1. Attachment Extraction: Binary file separation from email
2. Cortex Analysis: VirusTotal integration for malware detection
3. Wait & Result Collection: Automated status monitoring
4. Data Aggregation: Threat score compilation

Technical Implementation:

• Analyzer: VirusTotal_Scan_3_1
• TLP: Amber (Traffic Light Protocol)
• Result Processing: Automated verdict extraction

Branch B: Content Analysis via LLM

📸 INSERT: LLM analysis branch workflow

AI-Powered Social Engineering Detection: The DeepSeek LLM analyzes email content for psychological manipulation tactics:

Analysis Capabilities:

• Urgency Detection: False deadline pressure
• Authority Impersonation: Fake sender credentials
• Trust Exploitation: Relationship-based manipulation
• Fear Appeals: Threat-based coercion

📸 INSERT: LLM analysis output showing detailed reasoning

Phase 3: Decision Engine & Result Aggregation

📸 INSERT: Decision engine workflow section

Intelligence Fusion Process: The system combines results from both analysis branches to make informed decisions:

Decision Matrix:

• All Clear: No threats detected from any source
• Suspicious: Single-source detection requiring human review
• Confirmed Threat: Multi-source confirmation triggering automated response

📸 INSERT: Merge and conditional logic nodes in n8n

Phase 4: Automated Response Actions

📸 INSERT: Action execution workflow section

When threats are confirmed, the system executes multiple parallel response actions:

TheHive Case Creation

📸 INSERT: TheHive module configuration showing dynamic case creation

Automated Case Population:

• Title: email frauduleux id : {{ $('Gmail').item.json.id }}
• Description: Complete LLM analysis results
• Severity: Medium (configurable based on threat type)
• Start Date: {{ $('Gmail').item.json.headers.date }}
• TLP: Amber (Traffic Light Protocol)

Discord Alert System

📸 INSERT: Discord notification configuration

Real-time Team Notification:

• Channel: SOC team channel
• Message Format: Structured alert with analysis summary
• Priority Indicators: Visual emphasis for urgent threats

Email Quarantine

📸 INSERT: Gmail quarantine action configuration

Automatic Email Management:

• Action: Add SPAM label
• Message ID: Dynamic reference from trigger
• Audit Trail: Complete action logging

📊 System Validation & Testing

Proof of Concept Testing

📸 INSERT: Test phishing email screenshot

Test Scenario: Simulated phishing email with urgency tactics

• Subject: “Urgent: Vérifiez votre compte bancaire maintenant!”
• Content: Suspicious verification request with malicious link
• Sender: Spoofed banking institution

Detection Results

📸 INSERT: LLM analysis results showing phishing detection

AI Analysis Output: The DeepSeek LLM successfully identified multiple phishing indicators:

• Urgency Manipulation: False deadline pressure
• Authority Impersonation: Fake banking credentials
• Suspicious Links: URL analysis revealing threats
• Social Engineering: Psychological manipulation tactics

📸 INSERT: System response showing “yes” verdict for phishing detection

Automated Response Validation

TheHive Case Creation

📸 INSERT: TheHive cases list showing automatically created case

Case Details:

• Title: “email frauduleux” (automatically generated)
• Status: New and assigned
• Timeline: Complete audit trail from detection to resolution

📸 INSERT: Detailed case view in TheHive with LLM analysis

Case Information:

• Description: Complete AI reasoning and analysis
• Metadata: Email headers, timestamps, and source information
• Timeline: Automated case creation and status updates

Discord Integration

📸 INSERT: Discord notification showing automated alert

Real-time Alert:

ALERT! spam détecté vers: To: Matthieu PIGNOLET <m.pignolet@rt-iut.re> 
de: j.dufosse@rt-iut.re analyse: yes

Email Quarantine

📸 INSERT: Gmail interface showing email moved to spam

Quarantine Action:

• Label Applied: SPAM
• Email Status: Automatically quarantined
• User Impact: Threat removed from inbox

🔬 Technical Innovation & Advanced Features

AI-Powered Social Engineering Detection

Our implementation of local DeepSeek LLM provides sophisticated content analysis that traditional rule-based systems cannot achieve:

Advanced Detection Capabilities:

• Contextual Understanding: Full email context analysis
• Psychological Pattern Recognition: Manipulation tactic identification
• Linguistic Analysis: Suspicious language pattern detection
• Cultural Adaptation: Region-specific social engineering awareness

Privacy-First Architecture:

• Local Processing: No external data transmission
• Compliance Ready: GDPR and privacy regulation adherent
• Audit Trail: Complete analysis reasoning documentation

Parallel Processing Architecture

Unlike sequential security analysis, our system leverages parallel processing to:

• Reduce Analysis Time: Simultaneous attachment and content analysis
• Improve Accuracy: Multi-source threat confirmation
• Enhance Scalability: Efficient resource utilization
• Maintain Performance: Consistent response times under load

Dynamic Workflow Adaptation

The n8n orchestration platform enables:

• Visual Workflow Modification: Non-technical security team adaptation
• Real-time Debugging: Live workflow monitoring and testing
• Modular Enhancement: Easy integration of additional security tools
• Custom Logic Implementation: Organization-specific detection rules

📈 Performance Metrics & Impact

Quantifiable Improvements

Response Time Reduction:

• Before: 30+ minutes manual analysis
• After: <2 minutes automated analysis
• Improvement: 94% time reduction

Analysis Consistency:

• Manual Process: Variable quality due to human factors
• Automated Process: Consistent, comprehensive analysis
• False Positive Management: Multi-source verification reduces errors

Documentation Quality:

• Manual Documentation: Inconsistent, time-consuming
• Automated Documentation: Complete, structured, audit-ready
• Audit Trail: Comprehensive incident lifecycle tracking

Scalability Demonstration

Volume Handling:

• Current Capacity: Multiple simultaneous email analysis
• Resource Efficiency: Optimized CPU and memory utilization
• Growth Potential: Horizontal scaling capabilities

🚀 Technical Challenges & Solutions

Infrastructure Complexity

Challenge: Resource-intensive deployment requiring 16GB RAM Solution: Optimized service configuration and efficient resource allocation

Challenge: Complex tool integration and authentication management Solution: Systematic user role management and API key configuration

System Integration

Challenge: Data format compatibility between different security tools Solution: Dynamic data mapping in n8n with flexible JSON processing

Challenge: Real-time workflow monitoring and error handling Solution: Comprehensive logging and visual workflow debugging

AI Integration

Challenge: Local LLM deployment and performance optimization Solution: Efficient prompt engineering and response processing

Challenge: Balancing analysis depth with response speed Solution: Parallel processing architecture and optimized analysis workflows

🔮 Future Enhancement Roadmap

Phase 2: Advanced Threat Intelligence

Extended Cortex Integration:

• URLhaus Analyzer: Malicious URL detection
• PhishTank Integration: Phishing URL verification
• Hybrid Analysis: Dynamic malware analysis
• Custom IOC Development: Organization-specific indicators

MISP Integration:

• Threat Intelligence Sharing: Industry collaboration
• IOC Enrichment: Automated indicator enhancement
• Campaign Tracking: Advanced persistent threat monitoring

Phase 3: Enterprise Scaling

SIEM Integration:

• Log Correlation: Advanced analytics and pattern recognition
• Automated Playbooks: Extended incident response automation
• Compliance Reporting: Regulatory requirement automation

Machine Learning Enhancement:

• Custom Model Training: Organization-specific detection patterns
• Behavioral Analysis: User and attacker behavior profiling
• Predictive Analytics: Threat forecasting and prevention

Phase 4: Advanced Automation

Complete Incident Lifecycle:

• Investigation Automation: Advanced forensic analysis
• Containment Actions: Automated threat isolation
• Recovery Procedures: System restoration workflows
• Lessons Learned: Automated improvement recommendations

🎓 Skills Demonstrated & Professional Value

Technical Competencies Developed

Security Orchestration & Automation (SOAR):

• Professional-grade workflow design and implementation
• Multi-tool integration and data flow management
• Real-time incident response automation

AI/ML Integration in Cybersecurity:

• Local language model deployment and optimization
• Advanced prompt engineering for security applications
• Privacy-preserving AI architecture design

Enterprise Security Tool Mastery:

• TheHive incident management platform
• Cortex threat intelligence and analysis engine
• Industry-standard API integration and management

Professional Impact & Career Readiness

Industry-Standard Skills:

• Hands-on experience with tools used by Fortune 500 SOC teams
• Understanding of enterprise security operations workflows
• Practical knowledge of incident response methodologies

Innovation & Adaptation:

• Creative problem-solving using cutting-edge technologies
• Integration of traditional security tools with modern AI capabilities
• Development of scalable, maintainable security automation

Project Leadership & Collaboration:

• Complex technical project management
• Team coordination on multi-faceted security implementation
• Technical documentation and knowledge transfer

📎 Resources & Documentation

📄 Download Complete Project Report (PDF)

🔗 Technologies Used:

• TheHive - Incident response platform
• Cortex - Observable analysis engine
• n8n - Workflow automation platform
• VirusTotal - Malware analysis service
• DeepSeek LLM - Local AI language model

Technical Implementation:

• Complete n8n workflow configurations
• TheHive case templates and automation rules
• Cortex analyzer configurations and custom scripts
• Integration documentation and troubleshooting guides

This project demonstrates the practical integration of modern AI capabilities with traditional security tools to create enterprise-grade automated incident response solutions. The skills and experience gained are directly applicable to SOC analyst, security engineer, and incident response specialist roles in organizations worldwide.