Turn your MITRE ATT&CK data into a live knowledge base and use it to enrich Zendesk tickets. Security and IT teams get clear context, suggested tactics and techniques, and next steps right inside each ticket. You can also chat with the knowledge base to answer security questions fast.

The flow has three parts. First, a manual run pulls a JSON file from Google Drive, extracts the content, splits it into chunks, creates embeddings with OpenAI, and stores them in a Qdrant collection with rich metadata. Second, an n8n chat trigger lets users ask questions. The agent uses OpenAI, memory, and a Qdrant query to find the best context and reply. Third, the Zendesk branch gets tickets, loops through each one, parses SIEM style fields with a structured output, calls the Qdrant query for context, and updates the ticket with mapped MITRE items and remediation steps.

Set up needs OpenAI, Google Drive, Qdrant, and Zendesk credentials. Keep the same collection name across embed and query nodes, and match embedding dimensions. Expect faster triage, consistent notes, and stronger incident response. Great for SOC triage, service desk handling of security alerts, and audit friendly tagging.

• Pull JSON from Google Drive and extract content for indexing
• Split text into tokens and attach metadata like id, name, and kill chain phases
• Create OpenAI embeddings at 1536 dimensions and store vectors in Qdrant
• Chat trigger with memory lets users ask questions and keep context across messages
• Agent tools query Qdrant to retrieve the most relevant MITRE entries
• Get Zendesk tickets, loop through each one, and structure SIEM fields into clean JSON
• AI agent maps alerts to MITRE techniques and suggests remediation steps
• Update Zendesk tickets with enriched context and recommended actions
• Structured output parser enforces consistent fields for downstream updates
• Manual run path embeds new data so the knowledge base stays current

• Reduce manual triage from 20 minutes to 3 minutes per ticket by auto adding MITRE context
• Improve mapping accuracy of TTPs by standardizing fields with a structured parser
• Unify four systems so analysts do not switch tools during investigations
• Scale to hundreds of tickets by looping through items with consistent results
• Answer security questions in real time through a chat interface backed by your data

1. Import the template into n8n: Create a new workflow in n8n > Click the three dots menu > Select 'Import from File' > Choose the downloaded JSON file.
2. You'll need accounts with OpenAI, Google Drive, Qdrant and Zendesk. See the Tools Required section above for links to create accounts with these services.
3. OpenAI credentials: Double click an OpenAI node, create a new credential, paste your API key from the OpenAI API page, and save. Pick the gpt-4o chat model and the text-embedding-3-large embedding model with 1536 dimensions.
4. Google Drive credentials: Double click the Google Drive node and create a new OAuth2 credential. Follow the on screen steps to grant access to the Drive that holds the JSON file.
5. Qdrant credentials: Double click each Qdrant node, create a new API Key credential, and enter the host URL and API key from your Qdrant cluster. Use the same collection name in both embed and query nodes.
6. Zendesk credentials: Double click the Zendesk nodes, create a new credential, and provide your subdomain, email, and API token. Ensure the user has permission to read and update tickets.
7. Configure the Google Drive file: In the Google Drive node, select the JSON file that contains the MITRE data. Run the Extract from File node to confirm it returns parsed JSON.
8. Set metadata and chunking: Check the Default Data Loader and Token Splitter nodes so metadata fields map to your JSON and the text splits before embedding.
9. Validate embeddings and store: Run the embed path from the manual trigger. Confirm Qdrant shows vectors in the target collection and the insert step returns success.
10. Test the chat path: Use the n8n chat interface and ask a question about a tactic or technique. Verify the answer references the right context retrieved from Qdrant.
11. Verify Zendesk enrichment: Limit the Get all Zendesk Tickets node with a small sample. Run the loop and check the AI Agent output and the ticket updates for MITRE fields and remediation notes.
12. Troubleshoot: If Qdrant errors mention dimensions, confirm the embedding size matches 1536. If Google Drive fails, check file permissions. If Zendesk updates fail, confirm API token scope and ticket IDs.