This article provides a complete, practical walkthrough of the Wait Splitout Create Scheduled n8n agent. It connects HTTP Request, Webhook across approximately 1 node(s). Expect a Intermediate setup in 15-45 minutes. One‑time purchase: €29.

What This Agent Does

This agent orchestrates a reliable automation between HTTP Request, Webhook, handling triggers, data enrichment, and delivery with guardrails for errors and rate limits.

It streamlines multi‑step processes that would otherwise require manual exports, spreadsheet cleanup, and repeated API requests. By centralizing logic in n8n, it reduces context switching, lowers error rates, and ensures consistent results across teams.

Typical outcomes include faster lead handoffs, automated notifications, accurate data synchronization, and better visibility via execution logs and optional Slack/Email alerts.

How It Works

The workflow uses standard n8n building blocks like Webhook or Schedule triggers, HTTP Request for API calls, and control nodes (IF, Merge, Set) to validate inputs, branch on conditions, and format outputs. Retries and timeouts improve resilience, while credentials keep secrets safe.

Third‑Party Integrations

• HTTP Request
• Webhook

Import and Use in n8n

1. Open n8n and create a new workflow or collection.
2. Choose Import from File or Paste JSON.
3. Paste the JSON below, then click Import.
4. Show n8n JSON

   Title:
   Automating Vulnerability Report Management with n8n, Qualys, and TheHive
   
   Meta Description:
   Discover how to automate the end-to-end process of fetching vulnerability scan reports from Qualys and storing them in TheHive using n8n. Save time, avoid duplication, streamline triage, and enforce historical accountability.
   
   Keywords:
   n8n workflow, Qualys, TheHive, vulnerability management, cybersecurity automation, security operations center, fetch Qualys reports, create cases in TheHive, attach PDF reports, XML to JSON, SOC tools
   
   Third-Party APIs Used:
   
   - Qualys API (https://qualysapi.qg3.apps.qualys.com/api/2.0/fo/report)
   - TheHive Project API (https://thehive-project.org/)
   - n8n Internal API (ExecuteWorkflow for timestamp storage)
   
   Article:
   
   Automating Vulnerability Report Management with n8n, Qualys, and TheHive
   
   In today’s ever-evolving cybersecurity landscape, Security Operations Centers (SOCs) must handle vast amounts of vulnerability data in real time. Organizations using vulnerability scanners like Qualys often face complex operational challenges—tracking scans, avoiding duplicate reporting, and ensuring detailed record-keeping. Automating these processes can significantly reduce manual workload, increase efficiency, and improve response times.
   
   This is where the "Save Qualys Reports to TheHive" workflow—designed in n8n—comes in. This intelligent and robust automation fetches completed scan reports from Qualys, filters out previously processed results, and securely stores them in TheHive, an open-source incident response platform. Here's an overview of how this workflow operates and what makes it a game changer in the realm of vulnerability management.
   
   How the Workflow Works
   
   1. Scheduled or Manual Trigger
   
   The workflow can be triggered manually or automatically every hour via a schedule node. This ensures continual monitoring for new reports without human intervention.
   
   2. Setting Global Variables
   
   Upon each execution, the workflow initializes crucial configuration variables, such as the Qualys base URL and a new timestamp based on the current time in UTC. These form the backbone for data requests and comparison operations.
   
   3. Fetch Completed Reports from Qualys
   
   Using the Qualys API, the workflow sends a GET request with query parameters to list all finished reports. These are then converted from XML into JSON for processing. Converting the XML to JSON ensures the data is easily digestible and manageable within n8n.
   
   4. Retrieve the Last Processed Timestamp
   
   To avoid reprocessing older reports, the workflow retrieves the last saved timestamp from a subworkflow. If it's the first time the workflow runs, it defaults to a time 50 years in the past, ensuring it fetches all available historical reports.
   
   5. Filter Out Already Processed Reports
   
   Only reports created after the timestamp from the previous run are considered for processing. This critical step filters out duplicates and ensures that only new, relevant reports are analyzed and stored.
   
   6. Case-by-Case Processing
   
   Each new report is handled individually using a "Split in Batches" node and a waiting period of one second to avoid overwhelming TheHive’s API with rapid sequential requests.
   
   7. Create a Case in TheHive
   
   For each new Qualys report, the workflow creates a new case in TheHive. This case acts as a container for the report data, including:
   - Title of the report
   - Metadata (ID, creation date, user, format, and status)
   - Tags identifying the origin (e.g., “Qualys Scan”)
   - TLP (Traffic Light Protocol) marking for sensitivity
   
   8. Download and Attach the PDF Report
   
   Once the case is created, the corresponding PDF report is downloaded from Qualys using the report ID and attached to the appropriate TheHive case. This ensures that stakeholders reviewing the case have access to the full scan findings.
   
   9. Update the Processing Timestamp
   
   Finally, the workflow saves the current timestamp into a subworkflow for future reference. This ensures the next run only captures new reports, maintaining data integrity and consistency.
   
   Why This Matters
   
   This seamless automation ensures SOC teams:
   - Avoid manual data extraction
   - Eliminate redundancy by preventing duplicate case creation
   - Maintain an organized and searchable archive of vulnerability reports
   - Enable faster incident triage with complete data in one place
   - Standardize updates on an hourly schedule for near real-time intelligence
   
   Technology Stack and API Integrations
   
   This workflow is powered by three key platforms:
   - Qualys API for fetching security scan reports.
   - TheHive API for creating security incident cases and attaching reports.
   - n8n's own internal API for timestamp management and automating internal processes.
   
   Final Thoughts
   
   Whether you're a SOC analyst, engineer, or IT administrator, automating this vulnerability management lifecycle helps enforce data hygiene, provides operational traceability, and enhances your organization’s overall security posture.
   
   If you're looking to streamline your vulnerability management process without writing custom code, this n8n workflow provides a low-code, scalable solution. Simply plug in your Qualys and TheHive credentials, customize your environment variables, and let automation do the rest.
   
   Ready to get started? Visit the official documentation for n8n’s Qualys and TheHive integrations, and join the community on the forums or Discord for support.
   
   Secure smarter. Respond faster. Let your workflow do the heavy lifting.

5. Set credentials for each API node (keys, OAuth) in Credentials.
6. Run a test via Execute Workflow. Inspect Run Data, then adjust parameters.
7. Enable the workflow to run on schedule, webhook, or triggers as configured.

Tips: keep secrets in credentials, add retries and timeouts on HTTP nodes, implement error notifications, and paginate large API fetches.

Validation: use IF/Code nodes to sanitize inputs and guard against empty payloads.

Why Automate This with AI Agents

AI‑assisted automations offload repetitive, error‑prone tasks to a predictable workflow. Instead of manual copy‑paste and ad‑hoc scripts, your team gets a governed pipeline with versioned state, auditability, and observable runs.

n8n’s node graph makes data flow transparent while AI‑powered enrichment (classification, extraction, summarization) boosts throughput and consistency. Teams reclaim time, reduce operational costs, and standardize best practices without sacrificing flexibility.

Compared to one‑off integrations, an AI agent is easier to extend: swap APIs, add filters, or bolt on notifications without rewriting everything. You get reliability, control, and a faster path from idea to production.

Best Practices

• Credentials: restrict scopes and rotate tokens regularly.
• Resilience: configure retries, timeouts, and backoff for API nodes.
• Data Quality: validate inputs; normalize fields early to reduce downstream branching.
• Performance: batch records and paginate for large datasets.
• Observability: add failure alerts (Email/Slack) and persistent logs for auditing.
• Security: avoid sensitive data in logs; use environment variables and n8n credentials.

FAQs

Can I swap integrations later? Yes. Replace or add nodes and re‑map fields without rebuilding the whole flow.

How do I monitor failures? Use Execution logs and add notifications on the Error Trigger path.

Does it scale? Use queues, batching, and sub‑workflows to split responsibilities and control load.

Is my data safe? Keep secrets in Credentials, restrict token scopes, and review access logs.