Keep your team informed when a risky email is caught. The flow alerts the affected employee in Slack and opens a Jira issue only when the email was already opened. It reduces confusion and speeds up security follow up.

An incoming alert from your email security tool triggers a webhook in n8n. The flow pulls message details, then looks up the recipient’s Slack account by their mailbox address. If a Slack user is found, a direct message explains why the email is missing and what to do next. The logic also checks if the email was opened using the read at field. If true, a code step prepares a table of flagged rules and a Jira issue is created with a clear summary and description. If the user is not in Slack or the email was not opened, the flow exits without noise.

Set up needs API access to the email security platform, a Slack app with users read email and im write scopes, and a Jira project with the right issue type. Expect faster response, fewer help desk tickets, and cleaner handoffs to incident response. Good fits include IT and security teams that quarantine suspicious emails and want direct user alerts plus a ticket only when risk is higher.

• Webhook trigger receives email alert events as they happen
• HTTP request pulls full message details using secure header auth
• Slack user lookup by email finds the correct person to message
• Conditional check routes when a Slack user is not found to avoid noise
• Direct Slack message explains sender, subject, and why it was quarantined
• Open check uses the read_at field to see if the email was viewed
• Code step builds a flagged rules table that is added to the Jira ticket
• Jira issue creation includes a clear summary and incident details

• Reduce alert triage time from 30 minutes to 3 minutes
• Notify affected users in Slack within seconds to cut help desk tickets
• Create Jira issues only when the email was opened to focus effort
• Connect email security, chat, and ticketing in one flow
• Handle more alerts without adding staff by removing manual steps

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with Sublime Security, Slack and Jira Software. See the Tools Required section above for links to create accounts with these services.
3. In Sublime Security, create an API key from the account settings page. Keep it safe as you will paste it into n8n.
4. In the n8n credentials manager, create a new HTTP Header Auth credential for Sublime Security with Authorization set to Bearer YOUR_API_KEY. Name it clearly so your team can find it later.
5. Open the HTTP Request node that fetches message details and select the Sublime Security credential you just created. Confirm the URL uses the messageId from the webhook payload.
6. In Sublime Security, create a webhook that points to the n8n Webhook URL shown on the Receive Alert node. Use the POST method and send alerts for the rule set that auto quarantines emails.
7. In Slack, create or use a Slack app with users:read.email and im:write scopes. Install it to your workspace.
8. In the n8n credentials manager, connect the Slack nodes: double click the Slack nodes, choose Credential to connect with, click Create new credential, then follow the on screen steps to authorize your workspace.
9. Open the Slack lookup node and confirm the query uses the email from the webhook payload. Test with a known mailbox to make sure a user ID is returned.
10. For Jira Software, prepare a project and issue type for incidents. In n8n, create a Jira Software Cloud credential and select it in the Jira node.
11. In the Jira node, set the project and issue type. Keep the summary and description templates as provided or adjust to match your process.
12. Enable auto quarantine on your email security rule set so alerts include quarantined messages. Send a test alert from Sublime Security to the n8n webhook to validate end to end.
13. Check that the target user receives a Slack direct message. Then trigger a sample where read_at is true and confirm a Jira ticket is created with the flagged rules table.
14. If Slack user lookup fails, confirm the mailbox email matches the Slack profile email. If the Jira node fails, verify the project key, issue type, and credential permissions.