Skip to main content

Generate incident response reports with Supabase, Gemini and Claude

Workflow preview

Workflow preview
100%
Generate incident response reports with Supabase, Gemini and Claude preview
Open on n8n.io

1. Workflow Overview

Quick Overview This workflow ingests incident and playbook content from GitHub into Supabase (including pgvector embeddings with Google Gemini) and, on a webhook trigger, enriches a test incident w...

Best for

  • SecOps automation workflows
  • AI RAG automation workflows
  • advanced n8n builders looking for reusable templates

Tools used

n8n-nodes-base.stickynote, @n8n/n8n-nodes-langchain.documentdefaultdataloader, @n8n/n8n-nodes-langchain.embeddingsgooglegemini, n8n-nodes-base.httprequest, n8n-nodes-base.code, n8n-nodes-base.supabase, n8n-nodes-base.merge, @n8n/n8n-nodes-langchain.chainllm

Source and attribution

This workflow is cataloged by N8N Workflows and links back to its original n8n.io source page by Viraj.

Original n8n.io source

1.1 Workflow description

Title
Generate incident response reports with Supabase, Gemini and Claude
Workflow name
Generate incident response reports with Supabase, Gemini and Claude

Quick Overview

This workflow ingests incident and playbook content from GitHub into Supabase (including pgvector embeddings with Google Gemini) and, on a webhook trigger, enriches a test incident with historical matches, a routed response playbook, and live web threat intel (via Tavily + OpenRouter) to generate a validated incident response report.

How it works

  1. Receives a POST webhook containing the incident payload (including an encrypted OpenRouter API key) and decrypts the key for downstream LLM calls.
  2. Creates a tracking row in a Supabase table and loads configuration values used by the retrieval and report-generation steps.
  3. Retrieves similar resolved incidents from a Supabase pgvector store using Google Gemini embeddings and returns structured historical patterns.
  4. Retrieves the best-matching reference playbook from a Supabase pgvector store and fetches the full playbook text from Supabase, falling back to a built-in generic playbook when no match is found.
  5. Uses Tavily Search plus an OpenRouter-backed agent to gather external threat intelligence, IOCs, and phased mitigation guidance when the incident is classified as security-relevant.
  6. Merges the three intelligence branches and uses an OpenRouter LLM to synthesize a structured JSON output and an 11-section Markdown incident response report.
  7. Validates that required report fields exist and, if valid, writes the structured output and Markdown report back to the Supabase test incident record; otherwise it skips the write.

Setup

  1. Create Supabase tables for test incidents and vector stores (for resolved incidents and reference playbooks) and configure the matching SQL functions used for retrieval (for example, match_resolved_incidents_v1 and match_reference_playbooks_v1).
  2. Add Supabase credentials in n8n and set the correct table names and query function names in the workflow’s configuration nodes.
  3. Add Google Gemini (PaLM) API credentials and ensure the embedding model name used in the config (for example, models/gemini-embedding-001) is available to your account.
  4. Add an OpenRouter API credential for the chat models used by the agents and synthesizer, and ensure your webhook caller sends an encrypted_openrouter_key value that matches the workflow’s decryption format.
  5. Add a Tavily API credential for web search, then copy the webhook URL and configure your incident source to POST the incident JSON to it.

1.2 Logical Blocks

This catalog entry is organized from the workflow JSON. The node-level section below shows the executable blocks available for review before importing the template.

2. Block-by-Block Analysis

Block 1 - Sticky Note

Type / Role
n8n-nodes-base.stickyNote - stickyNote
Config choices
Version 1

Block 2 - Sticky Note1

Type / Role
n8n-nodes-base.stickyNote - stickyNote
Config choices
Version 1

Block 3 - Sticky Note2

Type / Role
n8n-nodes-base.stickyNote - stickyNote
Config choices
Version 1

Block 4 - Resolved Incidents Data Loader

Type / Role
@n8n/n8n-nodes-langchain.documentDefaultDataLoader - documentDefaultDataLoader
Config choices
Version 1

Block 5 - Gemini Embeddings (Resolved Incidents)

Type / Role
@n8n/n8n-nodes-langchain.embeddingsGoogleGemini - embeddingsGoogleGemini
Config choices
Version 1

Block 6 - Get Reference Playbooks From GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.4

Block 7 - Get Resolved Incidents from GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.2

Block 8 - Download Reference Playbooks From GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.4

Block 9 - Download Resolved Incidents From GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.4

Block 10 - Prepare Markdown Document & Metadata

Type / Role
n8n-nodes-base.code - code
Config choices
Version 2

Block 11 - Sticky Note3

Type / Role
n8n-nodes-base.stickyNote - stickyNote
Config choices
Version 1

Block 12 - Sticky Note6

Type / Role
n8n-nodes-base.stickyNote - stickyNote
Config choices
Version 1

Block 13 - Create a Row of Test Incident on Supabase

Type / Role
n8n-nodes-base.supabase - supabase
Config choices
Version 1

Block 14 - Gemini Embeddings (Playbooks Ingestion)

Type / Role
@n8n/n8n-nodes-langchain.embeddingsGoogleGemini - embeddingsGoogleGemini
Config choices
Version 1

Block 15 - Reference Playbooks Data Loader

Type / Role
@n8n/n8n-nodes-langchain.documentDefaultDataLoader - documentDefaultDataLoader
Config choices
Version 1

Block 16 - Merge Ingestion Branches

Type / Role
n8n-nodes-base.merge - merge
Config choices
Version 3.2

Block 17 - Summarize Reference Playbooks for Embeddings

Type / Role
@n8n/n8n-nodes-langchain.chainLlm - chainLlm
Config choices
Version 1.9

Block 18 - Get Test Incidents From GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.4

Block 19 - Download Test Incidents From GitHub

Type / Role
n8n-nodes-base.httpRequest - httpRequest
Config choices
Version 4.4

Block 20 - Threat Intel Enrichment Agent

Type / Role
@n8n/n8n-nodes-langchain.agent - agent
Config choices
Version 3.1

Block 21 - Search in Tavily

Type / Role
@tavily/n8n-nodes-tavily.tavilyTool - tavilyTool
Config choices
Version 1

Block 22 - Gemini Embeddings (Historical RAG)

Type / Role
@n8n/n8n-nodes-langchain.embeddingsGoogleGemini - embeddingsGoogleGemini
Config choices
Version 1

Block 23 - Historical Incidents RAG Agent

Type / Role
@n8n/n8n-nodes-langchain.agent - agent
Config choices
Version 1.7

Block 24 - Resolved Incidents Vector Store

Type / Role
@n8n/n8n-nodes-langchain.vectorStoreSupabase - vectorStoreSupabase
Config choices
Version 1.3

Showing the first 24 of 71 workflow blocks. Download the JSON for the full node graph.

3. Summary Table

Workflow Generate incident response reports with Supabase, Gemini and Claude
Complexity advanced
Nodes 71
Categories SecOps, AI RAG
Author Viraj
Published 17 Jun 2026

4. Reproducing the Workflow from Scratch

  1. 1. Download the workflow JSON

    Use the JSON export at /data/workflows/16446/16446.json as the source template for this automation.

  2. 2. Import the template into n8n

    Open n8n, import the downloaded JSON, and review each node before activating the workflow.

  3. 3. Configure credentials and variables

    Replace placeholder credentials, API keys, webhook URLs, account IDs, and environment-specific values with your own settings.

  4. 4. Test with sample data

    Run the workflow manually or in a staging workspace, inspect node output, and confirm downstream systems receive the expected data.

  5. 5. Activate and monitor

    Enable the workflow only after testing, then monitor executions, errors, and rate limits during the first production runs.

5. General Notes & Resources

Review imported nodes carefully before activation. This catalog entry is intended to help you inspect the workflow structure, understand required services, and find related templates faster.

Node names, credentials, schedules, webhook paths, and external service limits may need adjustment for your workspace.

Frequently asked questions

What does Generate incident response reports with Supabase, Gemini and Claude do?

Quick Overview This workflow ingests incident and playbook content from GitHub into Supabase (including pgvector embeddings with Google Gemini) and, on a webhook trigger, enriches a test incident w...

What do I need before importing this workflow?

Review the workflow JSON, configure any required credentials in n8n, and test the automation in a safe workspace before using it in production.

Can I customize this workflow?

Yes. Use the block-by-block analysis and the downloadable JSON to inspect each node, then adjust credentials, prompts, schedules, filters, or destinations for your SecOps, AI RAG use case.