{"id":"FOKoHtdHL2JKFwpH","meta":{"instanceId":"afe2b8648fee0c23760b8fce92c71dc65d1dd8bea264642e620dc8c34f1224d7","templateCredsSetupCompleted":true},"name":"CYBERPULSEBlueOps_Module1 client copy1","tags":[{"id":"0obxZlT9bSaIMBpV","name":"Threat Intake","createdAt":"2025-05-23T06:15:09.978Z","updatedAt":"2025-05-23T06:15:09.978Z"},{"id":"2rUQt7xpJikyzCUP","name":"(ACSC E8 + ISM-Aligned)","createdAt":"2025-06-04T06:23:02.488Z","updatedAt":"2025-06-04T06:23:02.488Z"}],"nodes":[{"id":"b9325536-f714-437d-8dc3-2dfbfd6d58a7","name":"⏰ Cron – Daily Trigger","type":"n8n-nodes-base.scheduleTrigger","position":[-220,-560],"parameters":{"rule":{"interval":[{"field":"cronExpression","expression":"0 0 7 * * *"}]}},"typeVersion":1.2},{"id":"c9f242d6-6d9c-4a27-8a43-b678c4b3dbeb","name":"🌐 Get CVE Feed","type":"n8n-nodes-base.httpRequest","position":[20,-640],"parameters":{"url":"https://gist.githubusercontent.com/gitadta/bdcb18b2450c5561a4b69ae9327383a8/raw/d9637907229a0a7e2bd6f5a5b6b2f04e6248aac1/cve-2023-26479.json","options":{"response":{"response":{"responseFormat":"json"}}}},"typeVersion":4.2},{"id":"e1f9ea1c-e934-4ecd-957d-8c7e5f8c1452","name":"🛡️ Get IOC Feed","type":"n8n-nodes-base.httpRequest","position":[20,-480],"parameters":{"url":"=https://gist.githubusercontent.com/gitadta/fddb9eb942cd3494c2e187117976d430/raw/1873c10c1a375c94b8afe3eed2772045c0a66568/ioc-feed.json","options":{"response":{"response":{"responseFormat":"json"}}}},"typeVersion":4.2},{"id":"080ac947-b10c-4492-8f55-79e27b9982c0","name":"🧠 Merge Threat Data","type":"n8n-nodes-base.merge","position":[220,-560],"parameters":{},"typeVersion":3.1},{"id":"80c5acb7-743a-44d7-8482-a5d429a973bd","name":"🧠Combine Threat Data","type":"n8n-nodes-base.code","position":[220,-360],"parameters":{"jsCode":"const cve = items[0].json;\nconst iocs = items[1].json.iocs || [];\n\nreturn [\n  {\n    json: {\n      cve,\n      iocs\n    }\n  }\n];"},"typeVersion":2},{"id":"68ccba75-0a92-4cd1-8306-24daafe59333","name":"🧠 AI – Risk Evaluation","type":"n8n-nodes-base.code","position":[220,-180],"parameters":{"jsCode":"const data = $input.all();\nreturn data.map((item, i) => {\n  const baseScore = item.json.cve?.impact?.baseMetricV3?.cvssV3?.baseScore || 0;\n  const aiRisk = [6.5, 9.1][i] || 5;\n  const path = [\"self-healing\", \"expert-review\", \"monitoring\"][i % 3];\n  const lev = [0.93, 0.72][i] || 0.45;\n\n  return {\n    json: {\n      ...item.json,\n      aiRisk,\n      path,\n      lev\n    }\n  };\n});"},"typeVersion":2},{"id":"9f74ff1c-57ae-48ae-989d-b27b64895c53","name":"🧠 AI – Triage Vulnerabilities","type":"n8n-nodes-base.code","position":[220,0],"parameters":{"jsCode":"const triage = {\n  self: [],\n  expert: [],\n  monitor: [],\n};\n\nconst assessed = $input.all();\n\nfor (const item of assessed) {\n  const v = item.json;\n  const levScore = v.lev || 0; // fallback if missing\n\n  if (levScore > 0.9) {\n    triage.expert.push({ ...v, levScore, levLabel: \"Critical\" });\n  } else if (levScore > 0.5) {\n    triage.self.push({ ...v, levScore, levLabel: \"High\" });\n  } else {\n    triage.monitor.push({ ...v, levScore, levLabel: \"Low\" });\n  }\n}\n\nreturn [{ json: triage }];"},"typeVersion":2},{"id":"3cbac00e-3bf1-4f68-99e2-e2027d3d2648","name":"🚨 ALERT – LEV Trigger","type":"n8n-nodes-base.if","position":[220,200],"parameters":{"options":{},"conditions":{"options":{"version":2,"leftValue":"","caseSensitive":true,"typeValidation":"loose"},"combinator":"and","conditions":[{"id":"f170e1cc-2692-4fcc-8def-6b1e5f01af84","operator":{"name":"filter.operator.equals","type":"string","operation":"equals"},"leftValue":"={{ $json.expert && $json.expert.length > 0 }}","rightValue":"=true"}]},"looseTypeValidation":true},"typeVersion":2.2},{"id":"2341d7f3-4f5e-4bf0-8b96-fb64c4d46344","name":"📧 Send Alert Email","type":"n8n-nodes-base.emailSend","position":[420,140],"webhookId":"48963cc6-c85f-4946-92bd-2c91a1a255ef","parameters":{"html":"=<h2>🚨 Critical Alert</h2>\n<p>The following high-risk CVEs were identified:</p>\n<pre>{{ JSON.stringify($json.expert, null, 2) }}</pre>\n","options":{},"subject":"🚨 CyberPulse Alert – Critical Vulnerabilities Detected","toEmail":"security-team@example.com","fromEmail":"security-team@example.com"},"credentials":{"smtp":{"id":"RM0pJJ95IhrbFLCv","name":"SMTP account"}},"typeVersion":2.1},{"id":"bead2d6d-aeec-49a3-99b0-6550976cfa91","name":"Google Sheets","type":"n8n-nodes-base.googleSheets","position":[420,300],"parameters":{"columns":{"value":{"IOCs":"={{ JSON.stringify($(\"🚨 ALERT – LEV Trigger\").item.json.expert[0].iocs) }}","Score":"={{ $json.expert[0].cve.cve.impact.baseMetricV3.cvssV3.baseScore }}","CVE_ID":"={{ $(\"🚨 ALERT – LEV Trigger\").item.json.expert[0].cve.cve.CVE_data_meta.ID }}","Severity":"={{ $json.expert[0].cve.cve.impact.baseMetricV3.cvssV3.baseSeverity }}","LEV_label":"={{ $json.expert[0].levLabel }}","LEV_score":"={{ $json.expert[0].levScore }}","timestamp":"={{ new Date().toISOString() }}","aiRisk_score":"={{ $json.expert[0].aiRisk }}","compliance_tags":"\"{{ 'ISM-0412, E8-6' }}\"","response_action":"={{ $json.expert[0].levLabel.toLowerCase() }}"},"schema":[{"id":"timestamp","type":"string","display":true,"removed":false,"required":false,"displayName":"timestamp","defaultMatch":false,"canBeUsedToMatch":true},{"id":"CVE_ID","type":"string","display":true,"removed":false,"required":false,"displayName":"CVE_ID","defaultMatch":false,"canBeUsedToMatch":true},{"id":"Severity","type":"string","display":true,"removed":false,"required":false,"displayName":"Severity","defaultMatch":false,"canBeUsedToMatch":true},{"id":"Score","type":"string","display":true,"removed":false,"required":false,"displayName":"Score","defaultMatch":false,"canBeUsedToMatch":true},{"id":"IOCs","type":"string","display":true,"removed":false,"required":false,"displayName":"IOCs","defaultMatch":false,"canBeUsedToMatch":true},{"id":"aiRisk_score","type":"string","display":true,"removed":false,"required":false,"displayName":"aiRisk_score","defaultMatch":false,"canBeUsedToMatch":true},{"id":"LEV_score","type":"string","display":true,"removed":false,"required":false,"displayName":"LEV_score","defaultMatch":false,"canBeUsedToMatch":true},{"id":"LEV_label","type":"string","display":true,"removed":false,"required":false,"displayName":"LEV_label","defaultMatch":false,"canBeUsedToMatch":true},{"id":"response_action","type":"string","display":true,"removed":false,"required":false,"displayName":"response_action","defaultMatch":false,"canBeUsedToMatch":true},{"id":"compliance_tags","type":"string","display":true,"removed":false,"required":false,"displayName":"compliance_tags","defaultMatch":false,"canBeUsedToMatch":true}],"mappingMode":"defineBelow","matchingColumns":[],"attemptToConvertTypes":false,"convertFieldsToString":false},"options":{},"operation":"append","sheetName":{"__rl":true,"mode":"list","value":"gid=0","cachedResultUrl":"https://docs.google.com/spreadsheets/d/1LeES3AaZG1AZHFd4g2FMgZx790AP_9Qd1OsIE774R-M/edit#gid=0","cachedResultName":"Sheet1"},"documentId":{"__rl":true,"mode":"id","value":"={{ $env.SHEET_ID }}"}},"credentials":{"googleSheetsOAuth2Api":{"id":"sJHywbRNYHkS71FB","name":"Google Sheets account"}},"typeVersion":4.5},{"id":"6be8438a-956d-4ac6-94e5-dc22cebaa178","name":"🧠 AI – Incident Playbook Selector","type":"n8n-nodes-base.code","position":[660,-180],"parameters":{"jsCode":"const threat = $json;\nconst score = threat.Score || 0;\nconst severity = (threat.Severity || \"\").toUpperCase();\n\nlet playbook = \"notify\"; // Default response\n\nif (score >= 9 || severity === \"CRITICAL\") {\n  playbook = \"isolation\";\n} else if (score >= 6 || severity === \"HIGH\") {\n  playbook = \"monitor\";\n}\n\nreturn [\n  {\n    json: {\n      ...threat,\n      response: {\n        playbook: playbook,\n        decisionReason: `Based on CVSS ${score} and severity ${severity}`\n      }\n    }\n  }\n];\n"},"typeVersion":2},{"id":"2aa9749e-cf1d-49ee-8a82-b75a6a62d1af","name":"Code","type":"n8n-nodes-base.code","position":[840,-180],"parameters":{"jsCode":"const threat = $json;\nconst score = threat.Score || 0;\nconst severity = (threat.Severity || \"\").toUpperCase();\n\nlet playbook = \"notify\"; // Default fallback\n\nif (score >= 9 || severity === \"CRITICAL\") {\n  playbook = \"isolation\";\n} else if (score >= 6 || severity === \"HIGH\") {\n  playbook = \"monitor\";\n}\n\nreturn [\n  {\n    json: {\n      ...threat,\n      response: {\n        playbook,\n        decisionReason: `Based on CVSS ${score} and severity ${severity}`\n      }\n    }\n  }\n];"},"typeVersion":2},{"id":"6dd8f1cf-4459-4496-b547-205da0aa2ab7","name":"🧭 Response Router","type":"n8n-nodes-base.switch","position":[1020,-180],"parameters":{"rules":{"values":[{"outputKey":"notify","conditions":{"options":{"version":2,"leftValue":"","caseSensitive":false,"typeValidation":"strict"},"combinator":"and","conditions":[{"id":"04b84cf7-971d-4f6e-a4c3-4609afd67140","operator":{"type":"string","operation":"equals"},"leftValue":"={{ $json.response.playbook }}","rightValue":"notify"}]},"renameOutput":true},{"outputKey":"monitor","conditions":{"options":{"version":2,"leftValue":"","caseSensitive":false,"typeValidation":"strict"},"combinator":"and","conditions":[{"id":"402dbac5-1a9e-4862-a281-7dfd42cf2729","operator":{"name":"filter.operator.equals","type":"string","operation":"equals"},"leftValue":"={{ $json.response.playbook }}","rightValue":" monitor"}]},"renameOutput":true},{"outputKey":"islolation","conditions":{"options":{"version":2,"leftValue":"","caseSensitive":false,"typeValidation":"strict"},"combinator":"and","conditions":[{"id":"b0100303-40c4-409e-8f95-b9cab699eedd","operator":{"name":"filter.operator.equals","type":"string","operation":"equals"},"leftValue":"={{ $json.response.playbook }}","rightValue":"isolation"}]},"renameOutput":true}]},"options":{"ignoreCase":true}},"typeVersion":3.2},{"id":"4123923e-bbbd-4234-8769-43dcd65cf9c8","name":"Send Alert Email","type":"n8n-nodes-base.emailSend","position":[1340,-360],"webhookId":"decb9f47-14ee-49f7-9317-2d52a39f97bd","parameters":{"html":"=<!DOCTYPE html>\n<html>\n<head>\n  <style>\n    body {\n      font-family: Arial, sans-serif;\n      color: #333;\n    }\n    h2 {\n      color: #b30000;\n    }\n    .section {\n      margin-bottom: 20px;\n    }\n    .section-critical {\n      background-color: #ffe5e5;\n      padding: 15px;\n      border-left: 5px solid #cc0000;\n    }\n    .section-iocs {\n      border: 1px solid #ccc;\n      border-radius: 5px;\n      padding: 10px;\n    }\n    .section-high {\n      background-color: #fff3e0;\n      padding: 15px;\n      border-left: 5px solid #ff9800;\n    }\n    .next-steps {\n      background-color: #e8f5e9;\n      padding: 15px;\n      border-left: 5px solid #4caf50;\n    }\n    table {\n      width: 100%;\n      border-collapse: collapse;\n      margin-top: 10px;\n    }\n    th, td {\n      padding: 8px;\n      border: 1px solid #999;\n      text-align: left;\n    }\n    .comment {\n      font-style: italic;\n      font-size: 0.95em;\n      color: #555;\n      margin-top: 10px;\n    }\n  </style>\n</head>\n<body>\n\n<h2>🚨 Critical Alert – {{ $json.cve.cve.CVE_data_meta.ID }}</h2>\n\n<div class=\"section section-critical\">\n  <p><b>📰 Summary:</b> {{ $json.cve.description.description_data[0].value }}</p>\n  <p><b>📉 Severity:</b> \n    <span style=\"color: \n      {{ $json.cve.impact.baseMetricV3.cvssV3.baseSeverity === 'CRITICAL' ? 'red' : \n         $json.cve.impact.baseMetricV3.cvssV3.baseSeverity === 'HIGH' ? 'orange' : \n         'black' }}\">\n      {{ $json.cve.impact.baseMetricV3.cvssV3.baseSeverity }}\n    </span>\n  </p>\n  <p><b>📊 CVSS Score:</b> {{ $json.cve.impact.baseMetricV3.cvssV3.baseScore }}</p>\n</div>\n\n<div class=\"section section-iocs\">\n  <b>📌 Indicators of Compromise (IOCs)</b>\n  <table>\n    <tr><th>Type</th><th>Value</th></tr>\n    {{ $json.iocs.map(ioc => `<tr><td>${ioc.type}</td><td>${ioc.value}</td></tr>`).join('') }}\n  </table>\n</div>\n\n<div class=\"section section-high\">\n  <b>🧠 AI Risk Evaluation</b>\n  <ul>\n    <li><b>aiRisk Score:</b> {{ $json.aiRisk }}</li>\n    <li><b>LEV Score:</b> {{ $json.lev }}</li>\n    <li><b>LEV Label:</b> {{ $json.levLabel }}</li>\n    <li><b>Response Assigned:</b> \n      <span style=\"color: darkred;\">{{ $json.response.playbook }}</span>\n    </li>\n  </ul>\n  <div class=\"comment\">\n    💬 Based on AI analysis, this CVE meets critical exploitability thresholds with confirmed indicators in your threat environment. Immediate action is advised.\n  </div>\n</div>\n\n<div class=\"section next-steps\">\n  <b>✅ Next Steps:</b>\n  <ol>\n    <li>Isolate affected endpoints immediately</li>\n    <li>Apply latest patches for {{ $json.cve.cve.CVE_data_meta.ID }}</li>\n    <li>Update threat database and notify internal stakeholders</li>\n  </ol>\n</div>\n\n</body>\n</html>\n<p style=\"font-size: 11px; color: #888;\">\n  <hr style=\"border: none; border-top: 1px solid #ddd; margin: 24px 0;\">\n\n<p style=\"font-size: 11px; color: #888; line-height: 1.5;\">\n  🔒 Aligned with <strong>ACSC Essential Eight</strong> & <strong>ISM 2024</strong> (Australia), and structured using the <strong>NIST Cybersecurity Framework</strong> and <strong>ISO/IEC 27001</strong> principles.<br>\n  Designed for SMEs and security teams worldwide.\n</p>\n\n<p style=\"font-size: 10px; color: #aaa;\">\n  This alert was automatically generated by <strong>CYBERPULSEBlueOps</strong> using n8n.\n</p>\n","options":{},"subject":"=🚨 Cyber Alert: {{ $json.response.playbook.toUpperCase() }} Required","toEmail":"security-team@example.com","fromEmail":"security-team@example.com"},"credentials":{"smtp":{"id":"RM0pJJ95IhrbFLCv","name":"SMTP account"}},"typeVersion":2.1},{"id":"d76f1894-ae5c-4c22-b326-7daec1cdf359","name":"Log to Google Sheet","type":"n8n-nodes-base.googleSheets","position":[1340,-180],"parameters":{"operation":"append","sheetName":{"__rl":true,"mode":"list","value":"","cachedResultUrl":"","cachedResultName":""},"documentId":{"__rl":true,"mode":"id","value":"={{ $env.SHEET_ID }}"}},"credentials":{"googleSheetsOAuth2Api":{"id":"sJHywbRNYHkS71FB","name":"Google Sheets account"}},"typeVersion":4.5},{"id":"9d9a56b4-13fd-40f8-a29a-4d3a3febfc19","name":"HTTP Request","type":"n8n-nodes-base.httpRequest","position":[1340,0],"parameters":{"url":"https://edr-api.example.com/isolate","method":"POST","options":{},"jsonBody":"={\n  \"device_ip\": \"{{ $json.iocs[0].value }}\",\n  \"cve_id\": \"{{ $json.cve.cve.CVE_data_meta.ID }}\",\n  \"severity\": \"{{ $json.cve.cve.impact.baseMetricV3.cvssV3.baseSeverity }}\"\n}\n","sendBody":true,"sendHeaders":true,"specifyBody":"json","headerParameters":{"parameters":[{"name":"Authorization"},{"name":"Content-Type","value":"application/json"}]}},"typeVersion":4.2},{"id":"d5376f73-da94-4a39-9129-7f94c9b6d86c","name":"Split Out","type":"n8n-nodes-base.splitOut","position":[500,-180],"parameters":{"include":"allOtherFields","options":{},"fieldToSplitOut":"iocs"},"typeVersion":1},{"id":"da91b5b0-a2ff-4d91-9837-eafdb1aa7ed4","name":"Sticky Note","type":"n8n-nodes-base.stickyNote","position":[1600,-380],"parameters":{"color":7,"width":560,"height":1160,"content":"\n🛡️ CYBERPULSEBlueOps – Module 1: Threat Feed Ingestion\n\nVersion: 1.0\nLast Updated: 2025-06-04\nAuthor: Adnan Tariq\nStatus: ✅ Production-Ready\n\n🔍 Purpose\n\nAutomates daily ingestion of CVE and IOC threat feeds, enriches and evaluates risks using AI-based triage, and routes alerts to notification, isolation, or monitoring actions. Structured to align with compliance frameworks and operational defense workflows.\n\n🔗 Data Sources\n\nCVE Feed: GitHub Gist (cve_data)\n\nIOC Feed: GitHub Gist (ioc_data)\n\nIngest frequency: Daily via Cron Trigger\n\n🧠 Key Components\n\nAI – Risk Evaluation for aiRisk scoring\n\nAI – Triage Vulnerabilities for LEV scoring & labels\n\n📘 Response Router assigns notify, monitor, or isolate\n\nLogs exported to Google Sheets with:\n\nCVE_ID, Severity, Score, IOCs\n\naiRisk_score, LEV_score, LEV_label, response_action\n\nCompliance tags: ISM-0412, E8-6\n\n✅ Compliance Alignment\n\n ACSC Essential Eight (Australia)\n\n ISM 2024 Logging Guidelines\n\n NIST Cybersecurity Framework\n\n ISO/IEC 27001 Control Mapping\n\n✉️ Output\n\nHTML emails with risk-based alert summaries\n\nGoogle Sheets row logs\n\n(Optional) HTTP isolation request via EDR API\n\n⚠️ Do not modify node structure without understanding data propagation and rule routing. All logic assumes LEV triage is the decision root."},"typeVersion":1},{"id":"1bae77e9-6f51-4a51-85d6-051ad1198030","name":"Sticky Note1","type":"n8n-nodes-base.stickyNote","position":[2180,-380],"parameters":{"color":7,"width":1080,"height":680,"content":"\n🧠 What is Module 1?\nModule 1 is like a security robot that wakes up every morning, reads danger news from the internet (called CVEs and IOCs), checks how risky it is, and then tells the grown-ups what to do.\n\n🧾 Why are there 2 Google Sheet blocks?\n1️⃣ First Google Sheet:\n➡️ It writes down big dangerous alerts that need attention (like “Critical Virus Found!”).\nThis is like a red alert notebook.\n\n2️⃣ Second Google Sheet:\n➡️ It writes down everything it finds, even small stuff, in a daily logbook.\nThis is the diary of what the robot saw today.\n\n✉️ Why are there 2 Email Alerts?\n1️⃣ First Email:\n📨 Sends a special alert when something very risky happens (like an emergency siren).\nExample: \"This computer might be in big trouble!\"\n\n2️⃣ Second Email:\n📨 Sends a daily summary email with a table.\nExample: “Today I saw: 1 Critical, 1 Medium, 1 Low.”\n\n🌐 Why is there 1 HTTP Request?\n🌍 This is the robot’s panic button.\nIf the robot says, “This is too dangerous,” it can call another robot (like an EDR system) to shut down or isolate the infected computer.\n\nBut this button is optional — like only calling the fire truck when needed.\n\n💡 In Short:\n🧾 Two sheets: one for alerts, one for daily diary\n\n✉️ Two emails: one for emergency, one for daily summary\n\n🌐 One optional panic button: for calling help if danger is too high"},"typeVersion":1},{"id":"0a7a9166-b06d-4a48-9420-70af07392046","name":"Sticky Note2","type":"n8n-nodes-base.stickyNote","position":[2180,320],"parameters":{"color":7,"width":580,"height":180,"content":"\n📘 Module 1 Glossary – What Each Term Means\n\n• **aiRisk** – AI-generated risk score (e.g. 6.5) based on CVE severity + behavior  \n• **LEV Score** – Local Exploitability score (e.g. 0.93) — how likely it affects *you*  \n• **LEV Label** – Text label from LEV score (e.g. `notify`, `monitor`, `isolate`)  \n• **response_action** – What the system decided to do (e.g. alert, log, isolate)  \n• **IOC** – Indicator of Compromise like a suspicious IP, domain, or file hash  \n• **CVE** – Known vulnerability from public sources (e.g. CVE-2023-26479)\n"},"typeVersion":1},{"id":"c3323b86-bb2b-4d62-9dcc-2509a1a6b893","name":"Sticky Note3","type":"n8n-nodes-base.stickyNote","position":[2180,520],"parameters":{"color":7,"width":580,"height":480,"content":"\n🛡️ Framework Integration Summary – Module 1\n\nACSC Essential Eight (Australia)\n✔ Implements daily threat monitoring and log collection, aligning with mitigation strategies like patching and application control.\n\nISM 2024 Logging Guidelines (Australia)\n✔ Logs high-risk CVEs, IOCs, and AI-evaluated actions to structured, queryable formats (Google Sheets, Emails).\n✔ Includes severity, timestamps, and response decisions — meets ISM log detail requirements.\n\nNIST Cybersecurity Framework (CSF) (US)\n✔ Aligns with:\n\nIdentify (tracking known CVEs),\n\nDetect (via AI risk analysis),\n\nRespond (action routing via LEV logic).\n\nISO/IEC 27001\n✔ Supports control A.12.4 (Event logging) and A.16 (Incident response) by providing automated alerts, logs, and response recommendations."},"typeVersion":1}],"active":false,"pinData":{},"settings":{"timezone":"Australia/Sydney","callerPolicy":"workflowsFromSameOwner","executionOrder":"v1"},"versionId":"b9d78a57-e42a-4b2a-92d4-30a29f06178a","connections":{"Code":{"main":[[{"node":"🧭 Response Router","type":"main","index":0}]]},"Split Out":{"main":[[{"node":"🧠 AI – Incident Playbook Selector","type":"main","index":0}]]},"Send Alert Email":{"main":[[]]},"🌐 Get CVE Feed":{"main":[[{"node":"🧠 Merge Threat Data","type":"main","index":0}]]},"🛡️ Get IOC Feed":{"main":[[{"node":"🧠 Merge Threat Data","type":"main","index":1}]]},"🧭 Response Router":{"main":[[{"node":"Send Alert Email","type":"main","index":0}],[{"node":"Log to Google Sheet","type":"main","index":0}],[{"node":"HTTP Request","type":"main","index":0}]]},"📧 Send Alert Email":{"main":[[]]},"🧠 Merge Threat Data":{"main":[[{"node":"🧠Combine Threat Data","type":"main","index":0}]]},"🧠Combine Threat Data":{"main":[[{"node":"🧠 AI – Risk Evaluation","type":"main","index":0}]]},"⏰ Cron – Daily Trigger":{"main":[[{"node":"🌐 Get CVE Feed","type":"main","index":0},{"node":"🛡️ Get IOC Feed","type":"main","index":0}]]},"🚨 ALERT – LEV Trigger":{"main":[[{"node":"📧 Send Alert Email","type":"main","index":0},{"node":"Google Sheets","type":"main","index":0}]]},"🧠 AI – Risk Evaluation":{"main":[[{"node":"🧠 AI – Triage Vulnerabilities","type":"main","index":0},{"node":"Split Out","type":"main","index":0}]]},"🧠 AI – Triage Vulnerabilities":{"main":[[{"node":"🚨 ALERT – LEV Trigger","type":"main","index":0}]]},"🧠 AI – Incident Playbook Selector":{"main":[[{"node":"Code","type":"main","index":0}]]}}}