Automate Slack Alerts and Jira Tickets for Quarantined Emails with n8n

What This Workflow Does

This workflow gets alerts from Sublime Security when an email is quarantined for security reasons.
It fetches extra details about that email from Sublime Security’s API.
Then, it finds the Slack user linked to the email recipient.
The user gets a Slack message telling them the email was quarantined.
If the email was opened before quarantine, the workflow makes a Jira ticket automatically.
This saves time and stops security risks from unnoticed bad emails.

Tools and Services Used

• Sublime Security: Sends quarantine alerts and holds email data.
• Slack: API for finding users and sending messages.
• Jira Software Cloud: Creates issue tickets for incidents.
• n8n: Workflow platform to connect everything.

Inputs, Processing, and Outputs

Inputs

• Webhook alert from Sublime Security about quarantined email.
• API data about the specific email message.
• Email address to find matching Slack user.

Processing Steps

• Validate webhook authentication.
• Fetch detailed email message info using message ID.
• Determine if email was opened before quarantine.
• Lookup Slack user by email address.
• Send Slack message notification if user found.
• Create Jira ticket if email was opened.
• Skip sending Slack or Jira if necessary data missing.

Outputs

• User receives Slack message about quarantined email.
• Jira issue created for investigation if email was opened.
• Internal security team gains faster incident awareness.

Who Should Use This Workflow

This workflow helps IT security teams who get many quarantine alerts from email filters.
It suits companies using Sublime Security, Slack, and Jira for incident management.

The workflow reduces manual checking and messaging.
It speeds up notifying employees about risky emails.

Beginner Step-by-Step: How to Use This Workflow in n8n

Download and Import

1. Click the Download button on this page and save the workflow file.
2. Open your n8n editor.
3. Choose “Import from File” and select the downloaded workflow.

Configure Credentials

1. Add Sublime Security API Key in the credentials manager.
2. Add Slack OAuth2 token with required scopes (users:read.email, im:write).
3. Add Jira API token and set project and issue type.

Adjust Settings

1. Review node configurations for IDs, email addresses, Slack channels if needed.
2. Update any email or user lookup values if different from defaults.
3. If the workflow has code nodes, copy and verify code expressions as provided.

Test and Activate

1. Trigger a test email quarantine event or simulate webhook payload.
2. Check if Slack messages are sent and Jira tickets created when expected.
3. Fix configuration errors if any appear.
4. Activate workflow by toggling the switch in n8n.

This lets n8n catch real alerts and automate notifications and ticketing.

Customization Ideas

• Change Slack message text for different company instructions or language.
• Adjust Jira ticket priority based on severity using expressions.
• Add mailto reply links in Slack messages for quick user feedback.
• Notify extra Slack channels like IT admin or security team.
• Expand workflow to handle different quarantine reasons with custom paths.

Troubleshooting Common Issues

• Webhook Authentication Fail: Check header authentication set correctly in Webhook node, update expired API key.
• Slack User Lookup Fails: Verify Slack app scopes include users:read.email and confirm email correctness.
• Jira Ticket Not Created: Ensure project and issue type fields are set in Jira Software node.

Pre-Production Checklist

• Confirm Sublime Security webhook URL is live and reachable.
• Test webhook calls in n8n for correct data.
• Check Slack credentials have correct permissions.
• Verify Jira API token and project configuration.
• Run test webhook with opened and unopened email scenarios.
• Back up existing workflow and credentials.

Deployment Guide

Turn workflow ON inside the n8n editor using the toggle.
Watch executions for errors or warnings.
Set alerts in n8n for failed runs if needed.
Review Jira tickets after creation to confirm processing.
For self-host n8n, ensure HTTPS and stable server to receive webhooks securely.

Code Example for Step 8: Prepare Flagged Rules Table

This Code node formats flagged rules into a markdown table for Jira.

const table = $("Receive Sublime Security Alert")
  .item.json.body.data.flagged_rules.map(
    (rule) => `|${rule.name}|${rule.severity}|${rule.tags.join(",")}|${rule.id}`
  )
  .join("\n");

return { table };

Slack Message Template in Step 7

Use this message in the Slack node to explain quarantine to users.

Hello,
Our security team has detected a potentially malicious email sent to your inbox and have quarantined it undergoing investigation.

From: {{ $('Get message details in Sublime Security').item.json["sender"]["display_name"] }} | {{ $('Get message details in Sublime Security').item.json["sender"]["email"] }}
Subject: {{ $('Get message details in Sublime Security').item.json["subject"] }}

If you believe that the email is not malicious and was intended for you, please contact IT, referencing email ID `{{ $('Get message details in Sublime Security').item.json["id"] }}`.

The email may be restored by IT if it is determined to be safe.

Thank you for helping keep the company secure!

Summary

→ Receive live quarantine alerts from email security.
→ Get full email details via API.
→ Find Slack users by email and send alerts.
→ Create Jira tickets automatically if email was opened.
→ Save time and reduce risk from unnoticed threats.
→ Improve security team incident response speed.