Automate Email Threat Analysis with n8n and TheHive Cortex

Opening Problem Statement

Meet Sarah, a cybersecurity analyst at a busy financial firm. Every day, Sarah receives hundreds of emails, many containing suspicious attachments she must analyze for potential threats. Manually downloading, inspecting, and entering data into multiple security tools not only consumes hours each day but also risks missing critical indicators lurking within emails. This tedious, error-prone process delays incident response and leaves the organization vulnerable.

Sarah’s situation is all too common in cybersecurity operations, where timely identification of Indicators of Compromise (IOCs) like suspicious domains, IPs, and email addresses is critical. However, the volume of data and complexity of investigation often overwhelm manual workflows, wasting time and risking errors.

What This Automation Does

This n8n workflow automates the entire lifecycle of email-based threat investigations by integrating TheHive and Cortex security platforms. When a new email arrives with an attachment, the workflow:

• Automatically reads emails from an IMAP inbox.
• Creates a case in TheHive using the email and attachment details.
• Extracts observables (domains, IPs, emails) from the attachment for analysis.
• Executes Cortex analyzers on these observables to detect threats.
• Updates the case with detailed IOC information and reputation results.
• Performs conditional logic to handle observable types and trigger specific analyses.

By automating these steps, the workflow can save Sarah and her team multiple hours daily, reduce manual errors, and accelerate threat detection and response times significantly.

Prerequisites ⚙️

• n8n account (cloud or self-hosted) 🔌
• IMAP email account configured to receive suspicious emails 📧
• TheHive account with API access and permissions to create cases and observables 🔑
• Cortex account with analyzers configured and API access 🔑

Self-hosting n8n is optional but beneficial for control and security. For affordable self-hosting options, consider platforms like Hostinger.

Step-by-Step Guide

1. Setup IMAP Email Node to Fetch Emails

Navigate to the n8n editor, and add a new node: IMAP Email (type: n8n-nodes-base.emailReadImap). Configure it to connect to your email inbox that receives suspicious emails.

• Set format to resolved to get parsed email data.
• Connect using your IMAP credentials.

Once done, this node listens and fetches incoming emails with attachments.

Common mistake: Ensure the mailbox folder is set correctly; otherwise, you may miss incoming messages.

2. Create TheHive Case from Email Attachment

Add a TheHive node (type: n8n-nodes-base.theHive) to create a case. Connect it to the IMAP Email node.

• Set operation to create a case.
• Pass email attachment metadata such as fileName, messageId, and tag the case as “Email”.
• Upload the attachment as an artifact in the case.

You should see the case created in TheHive with the attachment linked.

Tip: Always provide a meaningful title for easy case identification.

3. Promote and Retrieve Case Details

Use another TheHive node to promote the created case to active status.

Then add a TheHive node to get the full case details by passing the case ID.

These steps ensure the case is ready and accessible for further updates.

4. Fetch Observables from the Case

Add a TheHive Observable node to fetch all observables associated with the case, such as domains, IPs, and email addresses extracted from the attachment.

This node returns all observable data for analysis.

5. Execute Cortex Analyzer on Email Attachment

Connect an TheHive Analyzer Email node to execute a Cortex analyzer on the observable.

• Configure analyzers by their IDs—these analyzers perform automated threat detection.
• Enable retry on failure in case of transient API errors.

The node outputs a Cortex job ID for the next step.

6. Retrieve Cortex Analyzer Report

Add a Cortex node to retrieve the analyzer report using the job ID from the previous step.

This report contains detailed threat intelligence including IOCs like suspicious domains, email addresses, and IPs.

7. Conditional Check for IOCs

Use an IF node to check if the analyzer report contains any IOCs:

• Check if domain, email, or IP arrays have any entries.
• If any are found, continue processing; otherwise, end the workflow.

8. Update TheHive Case with IOCs

Add three separate TheHive nodes to create observables in the case for domains, emails, and IPs respectively.

• Use the data from the Cortex report.
• Tag observables by type for easier filtering later.
• Set status to “Ok” and include analyzer names in the message field.

9. Pause for Case Updates

Add a Wait node to delay for a few seconds, allowing TheHive to process the updates before running further analyzers.

This helps synchronize the workflow and avoid race conditions.

10. Trigger Additional Cortex Analyzers for Each IOC Type

For each IOC type created (domain, email, IP), add respective TheHive Analyzer nodes to run specialized Cortex analyzers:

• Domain IOC: Run OTX DOMAIN analyzer.
• Email IOC: Run Email Reputation analyzer.
• IP IOC: Run OTX IP analyzer.

These provide deeper reputation insights for threat investigation.

Customizations ✏️

• Change Email Source: In the first TheHive node, modify the source field to match your email provider (e.g. “Gmail” instead of “Outlook”) to reflect accurate data origins.
• Add More Analyzers: In the analyzer nodes, append additional Cortex analyzer IDs to extend detection capabilities, such as malware or phishing analysis.
• Adjust Wait Time: Modify the Wait node parameters to increase or decrease the pause duration depending on TheHive API performance.
• Filter Emails: Add conditions in the IMAP Email node or an additional IF node to process only emails with specific subjects or from known senders.
• Notification Integration: Add Slack or Email nodes to notify security teams when a case is created or updated.

Troubleshooting 🔧

Problem: “No case created in TheHive despite email received”
Cause: Incorrect or missing TheHive API credentials or misconfigured create case node.
Solution: Recheck API credentials under the TheHive credential settings. Ensure the create case operation is selected and all required fields (title, sourceRef) are correctly mapped.

Problem: “Cortex analyzer fails or returns no IOCs”
Cause: Analyzer ID may be incorrect or the analyzer service is temporarily down.
Solution: Verify Cortex analyzer IDs in the node parameter. Test analyzer availability from Cortex outside n8n. Enable retry on failure in the analyzer node.

Problem: “Workflow stuck on Wait node”
Cause: Network delays or webhook misconfiguration causing delays.
Solution: Increase timeout limits or adjust wait time parameters. Confirm webhook ID is correctly set in the Wait node settings.

Pre-Production Checklist ✅

• Verify IMAP email node successfully fetches test emails with attachments.
• Confirm TheHive API credentials are active and have permissions for case and observable operations.
• Test Cortex analyzer nodes with sample observables to ensure proper response.
• Check workflow connections to confirm data flows smoothly between nodes.
• Run a full test sending a test email and observe case creation and IOC extraction.

Deployment Guide

Activate your workflow by toggling it to “active” in the n8n editor. Make sure your IMAP credentials and TheHive/Cortex API keys are correctly set and accessible.

Monitor execution history within n8n to catch any errors or unexpected behavior. Adjust node configurations as necessary.

For extended security operations, consider integrating with notification tools (Slack, Email) or dashboards for real-time alerting.

FAQs

Q: Can I use Gmail instead of generic IMAP?
A: Yes, simply configure the IMAP Email node with Gmail’s IMAP server and your credentials.

Q: Does running analyzers consume API credits?
A: Yes, Cortex analyzers typically consume credits depending on your subscription plan. Monitor usage accordingly.

Q: Is the email data secure during processing?
A: Data is handled within your secure n8n and TheHive environments. Ensure your API keys and access are well guarded.

Q: Can this handle volume spikes?
A: This workflow is designed for moderate volumes. For high volume, consider scaling n8n workers and TheHive infrastructure.

Conclusion

With this n8n automation connecting IMAP Email, TheHive, and Cortex, Sarah can now process suspicious emails automatically, extracting and analyzing indicators within minutes instead of hours. The workflow robustly creates cases, extracts observables, runs threat analyzers, and updates cases with valuable intelligence, greatly accelerating cybersecurity response.

Implementing this workflow saves time, reduces human error, and keeps your organization safer. Next, you might explore automations integrating Slack for incident notifications, enrich analyzers with malware detection, or expand to other data sources like SIEM logs.

Now, take control of your email threat analysis with n8n, TheHive, and Cortex working together seamlessly.