Oneclick AI Squad 
This workflow corresponds to n8n.io template #13706 — we link there as the canonical source.
This workflow follows the Agent → Emailsend recipe pattern — see all workflows that pair these two integrations.
The workflow JSON
Copy or download the full n8n JSON below. Paste it into a new n8n workflow, add your credentials, activate. Full import guide →
{
"id": "IgdddfLCX52CIPYI",
"meta": {
"templateCredsSetupCompleted": true
},
"name": "AI Ransomware Early Warning System",
"tags": [],
"nodes": [
{
"id": "e5cb47f0-801e-4024-b9bb-6739dbe61534",
"name": "Sticky Note",
"type": "n8n-nodes-base.stickyNote",
"position": [
176,
-336
],
"parameters": {
"width": 900,
"height": 1994,
"content": "## AI Ransomware Early Warning System\n\nThis workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.\n\n### How it works\n\n1. **File System Monitoring** - Continuously monitors file operations (create, modify, rename, delete) across critical directories\n2. **Behavior Pattern Collection** - Aggregates file operation metrics in 30-second windows (entropy changes, extension changes, I/O velocity)\n3. **AI Threat Analysis** - Claude AI analyzes patterns against known ransomware behaviors (mass encryption, shadow copy deletion, etc.)\n4. **Threat Scoring & Classification** - Assigns threat scores (0-100) and classifies attack types (crypto-locker, wiper, etc.)\n5. **Auto-Isolation Decision** - Determines if immediate network isolation is required based on confidence thresholds\n6. **System Quarantine** - Executes automated isolation: disable network adapters, block shares, kill suspicious processes\n7. **Forensic Snapshot** - Captures system state, process tree, network connections, and file operation logs\n8. **Incident Response Alert** - Notifies SOC team with detailed threat intelligence and recommended actions\n9. **Evidence Preservation** - Stores forensic data and AI analysis in SIEM for investigation\n\n### Detection Capabilities\n\n- **Entropy Analysis**: Detects high-entropy file creation (encrypted data signature)\n- **Extension Scanning**: Identifies suspicious extension changes (.docx \u2192 .locked, .encrypted, .crypted)\n- **I/O Velocity**: Flags abnormal file modification rates (>100 files/min)\n- **Shadow Copy Deletion**: Detects vssadmin.exe / wmic.exe shadow copy deletion attempts\n- **Ransom Note Detection**: Identifies README.txt, HOW_TO_DECRYPT.html creation patterns\n- **Lateral Movement**: Monitors SMB/RDP connection spikes from infected hosts\n- **Process Behavior**: Analyzes suspicious parent-child process relationships\n\n### Setup Steps\n\n1. Import workflow into n8n\n2. Configure credentials:\n - **Anthropic API** - Claude AI for threat analysis\n - **Windows Event Collector / Sysmon** - File system event source\n - **EDR API** (CrowdStrike/Defender/SentinelOne) - For isolation commands\n - **SIEM API** (Splunk/Elastic) - For log forwarding\n - **Slack/PagerDuty** - For SOC alerts\n3. Install file system watcher on monitored endpoints (sysmon, osquery, or auditd)\n4. Configure isolation thresholds (default: threat_score >= 75)\n5. Test isolation procedure in sandbox environment\n6. Activate workflow\n\n### Sample Detection Event\n```json\n{\n \"hostname\": \"DESKTOP-WKS-042\",\n \"username\": \"jdoe\",\n \"timestamp\": \"2025-02-25T14:23:17Z\",\n \"detection_window_seconds\": 30,\n \"file_operations\": {\n \"files_modified\": 247,\n \"files_renamed\": 189,\n \"files_created\": 58,\n \"files_deleted\": 31,\n \"avg_entropy_increase\": 7.89,\n \"suspicious_extensions\": [\".locked\", \".crypted\", \".encrypted\"],\n \"ransom_notes_created\": [\"README_DECRYPT.txt\", \"HOW_TO_RECOVER.html\"]\n },\n \"process_activity\": {\n \"high_io_processes\": [\n {\"name\": \"explorer.exe\", \"pid\": 4782, \"io_rate\": \"523 ops/sec\"},\n {\"name\": \"svchost.exe\", \"pid\": 2194, \"io_rate\": \"412 ops/sec\"}\n ],\n \"suspicious_commands\": [\n \"vssadmin.exe delete shadows /all /quiet\",\n \"wmic shadowcopy delete\",\n \"bcdedit /set {default} recoveryenabled no\"\n ]\n },\n \"network_activity\": {\n \"c2_connections\": [\n {\"ip\": \"185.220.101.32\", \"port\": 443, \"country\": \"RU\"},\n {\"ip\": \"194.165.16.85\", \"port\": 8443, \"country\": \"NL\"}\n ],\n \"lateral_movement\": [\n {\"target\": \"FILE-SERVER-01\", \"protocol\": \"SMB\", \"status\": \"success\"},\n {\"target\": \"DB-SERVER-03\", \"protocol\": \"RDP\", \"status\": \"failed\"}\n ]\n }\n}\n```\n\n### Threat Intelligence Sources\n- MITRE ATT&CK Framework (T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery)\n- Known ransomware families: LockBit, BlackCat/ALPHV, Royal, Play, Cl0p\n- File extension IOCs from ransomware tracking feeds\n- Behavioral signatures from recent campaigns\n\n### Compliance & Forensics\n- **Chain of Custody**: All isolation actions logged with timestamps and justifications\n- **NIST CSF Alignment**: DE.CM-7 (Monitoring for unauthorized activity), RS.MI-3 (Incident containment)\n- **Evidence Integrity**: Forensic snapshots include cryptographic hashes for court admissibility\n- **Post-Incident Review**: AI analysis archived for threat hunting and pattern improvement"
},
"typeVersion": 1
},
{
"id": "aa56c195-6249-4bb9-97e3-1ff480f9a26e",
"name": "Sticky Note 1",
"type": "n8n-nodes-base.stickyNote",
"position": [
1168,
608
],
"parameters": {
"color": 6,
"width": 680,
"height": 340,
"content": "## 1. File System Monitoring & Event Collection"
},
"typeVersion": 1
},
{
"id": "da72049b-50b2-4741-b09d-317179678a9e",
"name": "Sticky Note 2",
"type": "n8n-nodes-base.stickyNote",
"position": [
1904,
544
],
"parameters": {
"color": 6,
"width": 724,
"height": 620,
"content": "## 2. Behavior Aggregation + AI Threat Analysis"
},
"typeVersion": 1
},
{
"id": "af03f0f2-99e6-458a-9755-bf94a600a56d",
"name": "Sticky Note 3",
"type": "n8n-nodes-base.stickyNote",
"position": [
2704,
544
],
"parameters": {
"color": 6,
"width": 820,
"height": 540,
"content": "## 3. Threat Scoring + Auto-Isolation Decision"
},
"typeVersion": 1
},
{
"id": "0dcbfdd6-1b5a-4fcd-b6f5-11d360b5a0e6",
"name": "Sticky Note 4",
"type": "n8n-nodes-base.stickyNote",
"position": [
3568,
384
],
"parameters": {
"color": 6,
"width": 1192,
"height": 720,
"content": "## 4. System Isolation + Forensics + SOC Alert"
},
"typeVersion": 1
},
{
"id": "8abfee30-adbf-402c-9571-8a99f402ff0e",
"name": "File System Event Stream",
"type": "n8n-nodes-base.webhook",
"position": [
1264,
784
],
"parameters": {
"path": "ransomware/file-events",
"options": {},
"httpMethod": "POST",
"responseMode": "lastNode"
},
"typeVersion": 2
},
{
"id": "b88cdb13-01a8-44c5-947f-72f4b54bba97",
"name": "Aggregate File Operations (30s Window)",
"type": "n8n-nodes-base.code",
"position": [
1488,
784
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "// Aggregate file system events in 30-second sliding window\nconst events = $input.item.json.events || [$input.item.json];\n\n// Initialize aggregation metrics\nconst metrics = {\n hostname: events[0].hostname || 'UNKNOWN',\n username: events[0].username || 'UNKNOWN',\n detection_window_start: new Date(Date.now() - 30000).toISOString(),\n detection_window_end: new Date().toISOString(),\n detection_window_seconds: 30,\n \n file_operations: {\n total_operations: events.length,\n files_created: 0,\n files_modified: 0,\n files_renamed: 0,\n files_deleted: 0,\n avg_file_size_bytes: 0,\n total_bytes_written: 0,\n operations_per_second: 0,\n unique_directories_affected: new Set(),\n file_extensions_changed: [],\n suspicious_extensions: [],\n ransom_notes_created: [],\n entropy_analysis: {\n high_entropy_files: 0,\n avg_entropy: 0,\n entropy_increase_count: 0\n }\n },\n \n process_activity: {\n unique_processes: new Set(),\n high_io_processes: [],\n suspicious_commands: [],\n parent_child_chains: []\n },\n \n network_activity: {\n c2_connections: [],\n lateral_movement: [],\n smb_connections: 0,\n rdp_connections: 0\n },\n \n system_changes: {\n shadow_copy_deletions: false,\n boot_config_modifications: false,\n registry_modifications: [],\n service_installations: []\n }\n};\n\n// Known ransomware extensions\nconst ransomwareExtensions = [\n '.locked', '.encrypted', '.crypted', '.crypto', '.crypt', '.enc',\n '.lockbit', '.blackcat', '.royal', '.play', '.alphv', '.cl0p',\n '.cerber', '.locky', '.wannacry', '.petya', '.ryuk', '.maze'\n];\n\n// Known ransom note patterns\nconst ransomNotePatterns = [\n 'README', 'HOW_TO_DECRYPT', 'DECRYPT_INSTRUCTIONS', 'RECOVERY',\n 'YOUR_FILES', 'LOCKED', 'ENCRYPTED', 'RANSOM'\n];\n\n// Suspicious command patterns\nconst suspiciousCommands = [\n 'vssadmin.exe delete shadows',\n 'wmic shadowcopy delete',\n 'bcdedit /set {default} recoveryenabled no',\n 'bcdedit /set {default} bootstatuspolicy ignoreallfailures',\n 'wbadmin delete catalog',\n 'cipher /w:',\n 'del /s /f /q'\n];\n\n// Process each file system event\nlet totalEntropy = 0;\nlet totalFileSize = 0;\n\nevents.forEach(event => {\n // Count operation types\n switch (event.operation?.toLowerCase()) {\n case 'create':\n case 'created':\n metrics.file_operations.files_created++;\n break;\n case 'modify':\n case 'modified':\n case 'write':\n metrics.file_operations.files_modified++;\n break;\n case 'rename':\n case 'renamed':\n metrics.file_operations.files_renamed++;\n \n // Check for suspicious extension changes\n const oldExt = event.old_path?.split('.').pop()?.toLowerCase();\n const newExt = event.new_path?.split('.').pop()?.toLowerCase();\n if (oldExt && newExt && oldExt !== newExt) {\n metrics.file_operations.file_extensions_changed.push({\n from: oldExt,\n to: newExt,\n path: event.new_path\n });\n \n if (ransomwareExtensions.includes(`.${newExt}`)) {\n metrics.file_operations.suspicious_extensions.push(`.${newExt}`);\n }\n }\n break;\n case 'delete':\n case 'deleted':\n metrics.file_operations.files_deleted++;\n break;\n }\n \n // Track directories\n const directory = event.path?.split('/').slice(0, -1).join('/') || \n event.path?.split('\\\\').slice(0, -1).join('\\\\');\n if (directory) {\n metrics.file_operations.unique_directories_affected.add(directory);\n }\n \n // Check for ransom notes\n const filename = event.path?.split('/').pop() || event.path?.split('\\\\').pop() || '';\n const filenameUpper = filename.toUpperCase();\n if (ransomNotePatterns.some(pattern => filenameUpper.includes(pattern)) &&\n (filename.endsWith('.txt') || filename.endsWith('.html') || filename.endsWith('.hta'))) {\n metrics.file_operations.ransom_notes_created.push(filename);\n }\n \n // Entropy analysis (high entropy = encrypted data)\n if (event.entropy !== undefined) {\n totalEntropy += event.entropy;\n if (event.entropy > 7.5) {\n metrics.file_operations.entropy_analysis.high_entropy_files++;\n }\n if (event.entropy_increase && event.entropy_increase > 1.0) {\n metrics.file_operations.entropy_analysis.entropy_increase_count++;\n }\n }\n \n // File size tracking\n if (event.size_bytes) {\n totalFileSize += event.size_bytes;\n metrics.file_operations.total_bytes_written += event.size_bytes;\n }\n \n // Process tracking\n if (event.process_name) {\n metrics.process_activity.unique_processes.add(event.process_name);\n \n // Track high I/O processes\n const existingProcess = metrics.process_activity.high_io_processes\n .find(p => p.pid === event.process_id);\n if (existingProcess) {\n existingProcess.operation_count++;\n } else if (event.io_rate_ops_per_sec > 100) {\n metrics.process_activity.high_io_processes.push({\n name: event.process_name,\n pid: event.process_id,\n operation_count: 1,\n io_rate: `${event.io_rate_ops_per_sec} ops/sec`\n });\n }\n }\n \n // Command line analysis\n if (event.command_line) {\n suspiciousCommands.forEach(pattern => {\n if (event.command_line.toLowerCase().includes(pattern.toLowerCase())) {\n metrics.process_activity.suspicious_commands.push(event.command_line);\n \n // Flag system changes\n if (pattern.includes('vssadmin') || pattern.includes('shadowcopy')) {\n metrics.system_changes.shadow_copy_deletions = true;\n }\n if (pattern.includes('bcdedit')) {\n metrics.system_changes.boot_config_modifications = true;\n }\n }\n });\n }\n \n // Network activity\n if (event.network_connection) {\n if (event.network_connection.protocol === 'SMB') {\n metrics.network_activity.smb_connections++;\n if (event.network_connection.target_host) {\n metrics.network_activity.lateral_movement.push({\n target: event.network_connection.target_host,\n protocol: 'SMB',\n status: event.network_connection.status || 'unknown'\n });\n }\n }\n if (event.network_connection.protocol === 'RDP') {\n metrics.network_activity.rdp_connections++;\n }\n \n // Check for C2 connections (external IPs)\n if (event.network_connection.remote_ip && \n !event.network_connection.remote_ip.startsWith('10.') &&\n !event.network_connection.remote_ip.startsWith('192.168.') &&\n !event.network_connection.remote_ip.startsWith('172.16.')) {\n metrics.network_activity.c2_connections.push({\n ip: event.network_connection.remote_ip,\n port: event.network_connection.remote_port,\n country: event.network_connection.country || 'Unknown'\n });\n }\n }\n});\n\n// Calculate averages and rates\nif (events.length > 0) {\n metrics.file_operations.avg_file_size_bytes = Math.round(totalFileSize / events.length);\n metrics.file_operations.operations_per_second = parseFloat((events.length / 30).toFixed(2));\n metrics.file_operations.entropy_analysis.avg_entropy = parseFloat(\n (totalEntropy / events.length).toFixed(2)\n );\n}\n\n// Convert Sets to Arrays for JSON serialization\nmetrics.file_operations.unique_directories_affected = \n Array.from(metrics.file_operations.unique_directories_affected);\nmetrics.process_activity.unique_processes = \n Array.from(metrics.process_activity.unique_processes);\n\n// Remove duplicates\nmetrics.file_operations.suspicious_extensions = \n [...new Set(metrics.file_operations.suspicious_extensions)];\nmetrics.process_activity.suspicious_commands = \n [...new Set(metrics.process_activity.suspicious_commands)];\nmetrics.network_activity.c2_connections = \n metrics.network_activity.c2_connections.filter((conn, index, self) =>\n index === self.findIndex(c => c.ip === conn.ip && c.port === conn.port)\n );\n\n// Calculate initial risk indicators\nconst risk_indicators = {\n high_entropy_file_ratio: events.length > 0 ? \n parseFloat((metrics.file_operations.entropy_analysis.high_entropy_files / events.length).toFixed(2)) : 0,\n rapid_file_modification: metrics.file_operations.operations_per_second > 8,\n suspicious_extension_detected: metrics.file_operations.suspicious_extensions.length > 0,\n ransom_note_detected: metrics.file_operations.ransom_notes_created.length > 0,\n shadow_copy_deletion: metrics.system_changes.shadow_copy_deletions,\n lateral_movement_detected: metrics.network_activity.lateral_movement.length > 0,\n c2_communication: metrics.network_activity.c2_connections.length > 0\n};\n\nmetrics.risk_indicators = risk_indicators;\nmetrics.aggregation_timestamp = new Date().toISOString();\nmetrics.requires_ai_analysis = \n risk_indicators.rapid_file_modification ||\n risk_indicators.suspicious_extension_detected ||\n risk_indicators.ransom_note_detected ||\n risk_indicators.shadow_copy_deletion;\n\nreturn { json: { behaviorMetrics: metrics } };"
},
"typeVersion": 2
},
{
"id": "4ede8aa3-be5f-43d0-b8e8-244615303218",
"name": "Wait for Batch Window (30s)",
"type": "n8n-nodes-base.wait",
"position": [
1712,
784
],
"parameters": {
"resume": "webhook",
"options": {}
},
"typeVersion": 1.1
},
{
"id": "049047b7-e9ea-4432-9e4a-51f82b67e8cb",
"name": "Claude AI Ransomware Threat Analysis",
"type": "@n8n/n8n-nodes-langchain.agent",
"position": [
1936,
784
],
"parameters": {
"text": "=You are a senior cybersecurity analyst and ransomware detection specialist with expertise in MITRE ATT&CK framework, digital forensics, and behavioral threat analysis.\n\nAnalyze this file system behavior pattern and determine if it indicates active ransomware encryption.\n\n**System Information:**\n- Hostname: {{ $json.behaviorMetrics.hostname }}\n- Username: {{ $json.behaviorMetrics.username }}\n- Detection Window: {{ $json.behaviorMetrics.detection_window_seconds }}s\n- Timestamp: {{ $json.behaviorMetrics.detection_window_end }}\n\n**File Operations (30-second window):**\n- Total Operations: {{ $json.behaviorMetrics.file_operations.total_operations }}\n- Files Created: {{ $json.behaviorMetrics.file_operations.files_created }}\n- Files Modified: {{ $json.behaviorMetrics.file_operations.files_modified }}\n- Files Renamed: {{ $json.behaviorMetrics.file_operations.files_renamed }}\n- Files Deleted: {{ $json.behaviorMetrics.file_operations.files_deleted }}\n- Operations per Second: {{ $json.behaviorMetrics.file_operations.operations_per_second }}\n- Unique Directories: {{ $json.behaviorMetrics.file_operations.unique_directories_affected.length }}\n- Total Bytes Written: {{ $json.behaviorMetrics.file_operations.total_bytes_written }}\n\n**Extension Analysis:**\n- Extensions Changed: {{ JSON.stringify($json.behaviorMetrics.file_operations.file_extensions_changed) }}\n- Suspicious Extensions Detected: {{ JSON.stringify($json.behaviorMetrics.file_operations.suspicious_extensions) }}\n- Ransom Notes Created: {{ JSON.stringify($json.behaviorMetrics.file_operations.ransom_notes_created) }}\n\n**Entropy Analysis (Encryption Indicator):**\n- High Entropy Files (>7.5): {{ $json.behaviorMetrics.file_operations.entropy_analysis.high_entropy_files }}\n- Average Entropy: {{ $json.behaviorMetrics.file_operations.entropy_analysis.avg_entropy }}\n- Entropy Increase Events: {{ $json.behaviorMetrics.file_operations.entropy_analysis.entropy_increase_count }}\n\n**Process Activity:**\n- Active Processes: {{ JSON.stringify($json.behaviorMetrics.process_activity.unique_processes) }}\n- High I/O Processes: {{ JSON.stringify($json.behaviorMetrics.process_activity.high_io_processes) }}\n- Suspicious Commands Executed: {{ JSON.stringify($json.behaviorMetrics.process_activity.suspicious_commands) }}\n\n**System Changes:**\n- Shadow Copy Deletion Detected: {{ $json.behaviorMetrics.system_changes.shadow_copy_deletions }}\n- Boot Config Modified: {{ $json.behaviorMetrics.system_changes.boot_config_modifications }}\n\n**Network Activity:**\n- C2 Connections: {{ JSON.stringify($json.behaviorMetrics.network_activity.c2_connections) }}\n- Lateral Movement Attempts: {{ JSON.stringify($json.behaviorMetrics.network_activity.lateral_movement) }}\n- SMB Connections: {{ $json.behaviorMetrics.network_activity.smb_connections }}\n\n**Risk Indicators:**\n{{ JSON.stringify($json.behaviorMetrics.risk_indicators, null, 2) }}\n\n**Analysis Requirements:**\n1. Assess threat level (0-100) based on behavioral indicators\n2. Classify attack type (crypto-locker, wiper, ransomware-as-a-service, or false positive)\n3. Identify ransomware family if possible (LockBit, BlackCat, Royal, Play, etc.)\n4. Determine confidence level (HIGH/MEDIUM/LOW)\n5. Recommend immediate action (ISOLATE_IMMEDIATELY, MONITOR_CLOSELY, or NO_ACTION)\n6. Map to MITRE ATT&CK techniques\n7. Provide forensic indicators for investigation\n\n**Response Format (JSON only, no markdown):**\n{\n \"threat_assessment\": {\n \"is_ransomware\": true,\n \"threat_score\": 85,\n \"confidence_level\": \"HIGH\",\n \"threat_classification\": \"CRYPTO_LOCKER_RANSOMWARE\",\n \"severity\": \"CRITICAL\"\n },\n \"ransomware_family\": {\n \"suspected_family\": \"LockBit 3.0\",\n \"family_confidence\": \"MEDIUM\",\n \"indicators_matched\": [\"shadow copy deletion\", \"high entropy files\", \".locked extension\"]\n },\n \"behavioral_analysis\": {\n \"encryption_behavior_detected\": true,\n \"mass_file_modification\": true,\n \"system_recovery_sabotage\": true,\n \"lateral_movement_attempts\": false,\n \"c2_communication\": true,\n \"ransom_note_deployment\": true\n },\n \"mitre_attack_techniques\": [\n \"T1486 - Data Encrypted for Impact\",\n \"T1490 - Inhibit System Recovery\",\n \"T1059 - Command and Scripting Interpreter\",\n \"T1105 - Ingress Tool Transfer\"\n ],\n \"forensic_indicators\": {\n \"file_markers\": [\"list of suspicious files or patterns\"],\n \"process_markers\": [\"suspicious process names or command lines\"],\n \"network_markers\": [\"C2 IPs or domains\"],\n \"registry_markers\": [\"persistence mechanisms\"]\n },\n \"attack_timeline\": {\n \"infection_vector\": \"suspected phishing email or exploit\",\n \"initial_compromise_estimate\": \"ISO timestamp estimate\",\n \"encryption_start_time\": \"ISO timestamp\",\n \"current_stage\": \"active encryption phase\"\n },\n \"impact_assessment\": {\n \"files_encrypted_estimated\": 247,\n \"directories_affected\": 15,\n \"data_loss_risk\": \"HIGH\",\n \"business_impact\": \"CRITICAL - Production data encryption in progress\"\n },\n \"recommended_action\": \"ISOLATE_IMMEDIATELY\",\n \"isolation_justification\": \"Active encryption detected with high confidence. Immediate network isolation required to prevent spread.\",\n \"containment_priority\": \"IMMEDIATE\",\n \"investigation_priority_actions\": [\n \"Isolate host from network\",\n \"Kill encryption process\",\n \"Preserve memory dump\",\n \"Collect network traffic logs\",\n \"Check for lateral movement\"\n ],\n \"false_positive_probability\": 0.05,\n \"false_positive_reasoning\": \"Brief explanation if FP probability > 0.1\",\n \"analyst_notes\": \"Brief summary for SOC team with key findings and urgency\"\n}",
"options": {
"systemMessage": "You are a senior cybersecurity analyst specializing in ransomware detection. Respond with valid JSON only \u2014 no markdown, no code blocks, no preamble. Base your analysis on MITRE ATT&CK, NIST guidelines, and current ransomware threat intelligence."
},
"promptType": "define"
},
"typeVersion": 1.6
},
{
"id": "33dac890-11e7-4bbb-9b27-31b25fa6c0d8",
"name": "Claude AI Model",
"type": "@n8n/n8n-nodes-langchain.lmChatAnthropic",
"position": [
2016,
1008
],
"parameters": {
"model": "=claude-sonnet-4-20250514",
"options": {
"temperature": 0.1
}
},
"credentials": {
"anthropicApi": {
"name": "<your credential>"
}
},
"typeVersion": 1
},
{
"id": "c8d58737-1567-4e97-b49d-30f29bf510ea",
"name": "Parse AI Threat Assessment",
"type": "n8n-nodes-base.code",
"position": [
2288,
784
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const aiResponse = $input.item.json;\nlet aiText = aiResponse.response || aiResponse.output || aiResponse.text || '';\n\n// Handle Anthropic content array format\nif (aiResponse.content && Array.isArray(aiResponse.content)) {\n aiText = aiResponse.content[0]?.text || '';\n}\n\n// Strip markdown code blocks\nconst cleanText = aiText\n .replace(/```json\\s*/g, '')\n .replace(/```\\s*/g, '')\n .trim();\n\nlet threatAnalysis;\ntry {\n threatAnalysis = JSON.parse(cleanText);\n} catch (error) {\n throw new Error(`Failed to parse Claude AI threat analysis: ${error.message}. Raw: ${cleanText.substring(0, 200)}`);\n}\n\n// Pull behavior metrics from upstream\nconst behaviorMetrics = $('Aggregate File Operations (30s Window)').item.json.behaviorMetrics;\n\n// Create comprehensive threat report\nconst threatReport = {\n detection_id: `RANSOMWARE-${Date.now()}-${Math.random().toString(36).substr(2, 8).toUpperCase()}`,\n detected_at: new Date().toISOString(),\n detection_source: 'Claude AI Ransomware Detection Engine v1.0',\n \n // System context\n affected_system: {\n hostname: behaviorMetrics.hostname,\n username: behaviorMetrics.username,\n detection_window: `${behaviorMetrics.detection_window_start} to ${behaviorMetrics.detection_window_end}`\n },\n \n // AI threat assessment\n threat_analysis: threatAnalysis.threat_assessment,\n ransomware_family: threatAnalysis.ransomware_family,\n behavioral_analysis: threatAnalysis.behavioral_analysis,\n mitre_attack_techniques: threatAnalysis.mitre_attack_techniques,\n \n // Raw behavior data\n behavior_metrics: behaviorMetrics,\n \n // Forensic evidence\n forensic_indicators: threatAnalysis.forensic_indicators,\n attack_timeline: threatAnalysis.attack_timeline,\n impact_assessment: threatAnalysis.impact_assessment,\n \n // Response decision\n recommended_action: threatAnalysis.recommended_action,\n isolation_required: threatAnalysis.recommended_action === 'ISOLATE_IMMEDIATELY',\n isolation_justification: threatAnalysis.isolation_justification,\n containment_priority: threatAnalysis.containment_priority,\n \n // Investigation guidance\n investigation_actions: threatAnalysis.investigation_priority_actions,\n analyst_notes: threatAnalysis.analyst_notes,\n \n // Confidence metrics\n confidence_level: threatAnalysis.threat_assessment.confidence_level,\n threat_score: threatAnalysis.threat_assessment.threat_score,\n false_positive_probability: threatAnalysis.false_positive_probability,\n \n // Status\n status: 'ANALYZED',\n next_action: threatAnalysis.threat_assessment.threat_score >= 75 ? 'INITIATE_ISOLATION' : 'MONITOR'\n};\n\nreturn { json: { threatReport } };"
},
"typeVersion": 2
},
{
"id": "1d640396-e79d-40aa-ba03-f285c678c4f8",
"name": "Threat Score >= 75? (Auto-Isolate Threshold)",
"type": "n8n-nodes-base.if",
"position": [
2512,
784
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "strict"
},
"combinator": "and",
"conditions": [
{
"operator": {
"type": "number",
"operation": "largerEqual"
},
"leftValue": "={{ $json.threatReport.threat_score }}",
"rightValue": 75
}
]
}
},
"typeVersion": 2
},
{
"id": "a05b8e20-2774-41c0-a271-f6f810990d90",
"name": "Confirm Isolation Required",
"type": "n8n-nodes-base.if",
"position": [
2736,
688
],
"parameters": {
"options": {},
"conditions": {
"options": {
"leftValue": "",
"caseSensitive": false,
"typeValidation": "strict"
},
"combinator": "or",
"conditions": [
{
"operator": {
"type": "boolean",
"operation": "true"
},
"leftValue": "={{ $json.threatReport.isolation_required }}"
},
{
"operator": {
"type": "string",
"operation": "equals"
},
"leftValue": "={{ $json.threatReport.recommended_action }}",
"rightValue": "ISOLATE_IMMEDIATELY"
}
]
}
},
"typeVersion": 2
},
{
"id": "482eea79-1446-469f-990f-26f8e0241267",
"name": "Capture Forensic Snapshot",
"type": "n8n-nodes-base.httpRequest",
"position": [
2960,
688
],
"parameters": {
"url": "=https://edr-api.company.com/v1/forensics/snapshot",
"method": "POST",
"options": {
"timeout": 30000
},
"sendBody": true,
"authentication": "genericCredentialType",
"bodyParameters": {
"parameters": [
{
"name": "hostname",
"value": "={{ $json.threatReport.affected_system.hostname }}"
},
{
"name": "snapshot_type",
"value": "full"
},
{
"name": "capture_memory",
"value": true
},
{
"name": "capture_process_tree",
"value": true
},
{
"name": "capture_network_connections",
"value": true
},
{
"name": "capture_file_operations_log",
"value": true
},
{
"name": "incident_id",
"value": "={{ $json.threatReport.detection_id }}"
}
]
},
"genericAuthType": "httpHeaderAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "3eeb410a-2188-4899-90e2-f4085af95ca8",
"name": "Execute System Isolation",
"type": "n8n-nodes-base.httpRequest",
"position": [
3184,
688
],
"parameters": {
"url": "=https://edr-api.company.com/v1/endpoint/isolate",
"method": "POST",
"options": {
"timeout": 30000,
"response": {
"response": {
"responseFormat": "json"
}
}
},
"sendBody": true,
"authentication": "genericCredentialType",
"bodyParameters": {
"parameters": [
{
"name": "hostname",
"value": "={{ $json.threatReport.affected_system.hostname }}"
},
{
"name": "isolation_type",
"value": "network_full"
},
{
"name": "kill_processes",
"value": "={{ JSON.stringify($json.threatReport.forensic_indicators.process_markers) }}"
},
{
"name": "block_network_adapters",
"value": true
},
{
"name": "disable_smb_shares",
"value": true
},
{
"name": "incident_id",
"value": "={{ $json.threatReport.detection_id }}"
},
{
"name": "justification",
"value": "={{ $json.threatReport.isolation_justification }}"
},
{
"name": "analyst_authorization",
"value": "Claude AI Auto-Isolation (Threat Score: {{ $json.threatReport.threat_score }})"
}
]
},
"genericAuthType": "httpHeaderAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.2
},
{
"id": "c263e2b3-01b7-44f8-85c8-92a77dfa32e6",
"name": "Terminate Encryption Process",
"type": "n8n-nodes-base.httpRequest",
"position": [
3408,
688
],
"parameters": {
"url": "=https://edr-api.company.com/v1/process/terminate",
"method": "POST",
"options": {},
"sendBody": true,
"authentication": "genericCredentialType",
"bodyParameters": {
"parameters": [
{
"name": "hostname",
"value": "={{ $json.threatReport.affected_system.hostname }}"
},
{
"name": "process_identifiers",
"value": "={{ JSON.stringify($json.threatReport.behavior_metrics.process_activity.high_io_processes) }}"
},
{
"name": "force_kill",
"value": true
},
{
"name": "incident_id",
"value": "={{ $json.threatReport.detection_id }}"
}
]
},
"genericAuthType": "httpHeaderAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "db640fec-9431-46e5-85c4-10fe0956a4a7",
"name": "Alert SOC \u2014 Critical Ransomware Detection",
"type": "n8n-nodes-base.slack",
"position": [
3632,
496
],
"parameters": {
"resource": "channel",
"channelId": {
"__rl": true,
"mode": "list",
"value": ""
}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.2,
"continueOnFail": true
},
{
"id": "97f393b1-50d3-4b7f-a9e2-093507a8bc39",
"name": "Email Security Team",
"type": "n8n-nodes-base.emailSend",
"position": [
3632,
688
],
"parameters": {
"options": {},
"subject": "=[CRITICAL] Ransomware Detection \u2014 {{ $json.threatReport.affected_system.hostname }} \u2014 ISOLATED",
"toEmail": "user@example.com, user@example.com",
"fromEmail": "user@example.com"
},
"credentials": {
"smtp": {
"name": "<your credential>"
}
},
"typeVersion": 2.1,
"continueOnFail": true
},
{
"id": "538edce0-cb79-4b17-8b5c-8d12f375532b",
"name": "Trigger PagerDuty Incident",
"type": "n8n-nodes-base.httpRequest",
"position": [
3632,
880
],
"parameters": {
"url": "https://events.pagerduty.com/v2/enqueue",
"method": "POST",
"options": {},
"jsonBody": "={\n \"routing_key\": \"YOUR_PAGERDUTY_INTEGRATION_KEY\",\n \"event_action\": \"trigger\",\n \"dedup_key\": \"{{ $json.threatReport.detection_id }}\",\n \"payload\": {\n \"summary\": \"CRITICAL: Ransomware detected on {{ $json.threatReport.affected_system.hostname }} \u2014 System Isolated\",\n \"severity\": \"critical\",\n \"source\": \"{{ $json.threatReport.affected_system.hostname }}\",\n \"component\": \"ransomware-detection\",\n \"group\": \"security-incidents\",\n \"class\": \"ransomware\",\n \"custom_details\": {\n \"detection_id\": \"{{ $json.threatReport.detection_id }}\",\n \"threat_score\": {{ $json.threatReport.threat_score }},\n \"threat_classification\": \"{{ $json.threatReport.threat_analysis.threat_classification }}\",\n \"ransomware_family\": \"{{ $json.threatReport.ransomware_family.suspected_family }}\",\n \"confidence_level\": \"{{ $json.threatReport.confidence_level }}\",\n \"files_encrypted\": {{ $json.threatReport.impact_assessment.files_encrypted_estimated }},\n \"isolation_status\": \"ISOLATED\",\n \"incident_dashboard\": \"https://soc.company.com/incidents/{{ $json.threatReport.detection_id }}\"\n }\n },\n \"links\": [\n {\n \"href\": \"https://soc.company.com/incidents/{{ $json.threatReport.detection_id }}\",\n \"text\": \"View Incident Dashboard\"\n }\n ]\n}",
"sendBody": true,
"specifyBody": "json"
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "fdd155a2-06c7-4daa-b899-6c5c61f44442",
"name": "Forward to SIEM (Splunk/Elastic)",
"type": "n8n-nodes-base.httpRequest",
"position": [
3856,
592
],
"parameters": {
"url": "=https://siem.company.com/api/v1/events",
"method": "POST",
"options": {
"response": {
"response": {
"responseFormat": "json"
}
}
},
"jsonBody": "={{ JSON.stringify($json.threatReport) }}",
"sendBody": true,
"specifyBody": "json",
"authentication": "genericCredentialType",
"genericAuthType": "httpHeaderAuth"
},
"credentials": {
"httpHeaderAuth": {
"name": "<your credential>"
}
},
"typeVersion": 4.2,
"continueOnFail": true
},
{
"id": "8775fc52-d7fe-48b7-8cdd-688d262bde6a",
"name": "Write to Isolation Audit Log",
"type": "n8n-nodes-base.googleSheets",
"position": [
4080,
592
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [],
"attemptToConvertTypes": false,
"convertFieldsToString": false
},
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "id",
"value": "=Ransomware_Isolation_Audit_Log"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "YOUR_GOOGLE_SHEET_ID"
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
},
{
"id": "575c3fa5-810c-4c8f-b57b-c4f72aaeedb4",
"name": "Build Incident Response Summary",
"type": "n8n-nodes-base.code",
"position": [
4304,
592
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const threatReport = $('Parse AI Threat Assessment').item.json.threatReport;\nconst forensicSnapshot = $('Capture Forensic Snapshot').item.json;\nconst isolationResult = $('Execute System Isolation').item.json;\n\nconst incidentSummary = {\n success: true,\n detection_id: threatReport.detection_id,\n incident_type: 'RANSOMWARE_ATTACK',\n detected_at: threatReport.detected_at,\n \n affected_system: threatReport.affected_system,\n \n threat_assessment: {\n classification: threatReport.threat_analysis.threat_classification,\n threat_score: threatReport.threat_score,\n confidence: threatReport.confidence_level,\n ransomware_family: threatReport.ransomware_family.suspected_family,\n severity: threatReport.threat_analysis.severity\n },\n \n impact: {\n files_encrypted: threatReport.impact_assessment.files_encrypted_estimated,\n directories_affected: threatReport.impact_assessment.directories_affected,\n business_impact: threatReport.impact_assessment.business_impact\n },\n \n automated_response: {\n isolation_executed: isolationResult?.isolated || true,\n isolation_type: 'NETWORK_FULL',\n processes_terminated: threatReport.forensic_indicators.process_markers?.length || 0,\n forensic_snapshot_captured: forensicSnapshot?.snapshot_id || 'CAPTURED',\n smb_shares_disabled: true,\n network_adapters_blocked: true,\n response_time_seconds: Math.round((new Date() - new Date(threatReport.detected_at)) / 1000)\n },\n \n notifications: {\n soc_alerted: true,\n email_sent: true,\n pagerduty_triggered: true,\n siem_forwarded: true\n },\n \n investigation: {\n incident_dashboard_url: `https://soc.company.com/incidents/${threatReport.detection_id}`,\n forensic_snapshot_id: forensicSnapshot?.snapshot_id || 'PENDING',\n siem_query: `index=edr hostname=${threatReport.affected_system.hostname} earliest=-1h`,\n priority_actions: threatReport.investigation_actions\n },\n \n mitre_attack: threatReport.mitre_attack_techniques,\n \n analyst_notes: threatReport.analyst_notes,\n \n processing_status: 'INCIDENT_CONTAINED',\n next_steps: [\n 'SOC team investigating root cause',\n 'Forensic analysis in progress',\n 'Checking for lateral movement',\n 'Coordinating with business stakeholders on impact',\n 'Preparing regulatory notifications if required'\n ],\n \n processed_at: new Date().toISOString()\n};\n\nreturn { json: incidentSummary };"
},
"typeVersion": 2
},
{
"id": "c53204b8-c6c1-4101-b7c2-bfb4dba3ba03",
"name": "Send Detection Response",
"type": "n8n-nodes-base.respondToWebhook",
"position": [
4528,
592
],
"parameters": {
"options": {
"responseHeaders": {
"entries": [
{
"name": "Content-Type",
"value": "application/json"
}
]
}
},
"respondWith": "json",
"responseBody": "={{ JSON.stringify($json, null, 2) }}"
},
"typeVersion": 1
},
{
"id": "10db99e1-44f2-486d-9a02-543fdf39ab19",
"name": "Enhanced Monitoring Mode",
"type": "n8n-nodes-base.code",
"position": [
2736,
880
],
"parameters": {
"mode": "runOnceForEachItem",
"jsCode": "const threatReport = $('Parse AI Threat Assessment').item.json.threatReport;\n\n// Threat score below 75 - monitor but don't isolate\nconst monitoringAlert = {\n alert_type: 'SUSPICIOUS_BEHAVIOR_DETECTED',\n detection_id: threatReport.detection_id,\n threat_score: threatReport.threat_score,\n confidence: threatReport.confidence_level,\n hostname: threatReport.affected_system.hostname,\n username: threatReport.affected_system.username,\n detected_at: threatReport.detected_at,\n \n behavior_summary: {\n classification: threatReport.threat_analysis.threat_classification,\n suspicious_indicators: Object.entries(threatReport.behavioral_analysis)\n .filter(([key, value]) => value === true)\n .map(([key]) => key),\n threat_level: threatReport.threat_analysis.severity\n },\n \n recommended_action: 'ENHANCED_MONITORING',\n monitoring_instructions: [\n 'Increase log collection frequency',\n 'Monitor file system activity closely',\n 'Watch for escalation in threat score',\n 'Alert if additional suspicious behavior detected',\n 'Prepare for potential isolation if threat increases'\n ],\n \n analyst_notes: threatReport.analyst_notes,\n \n escalation_criteria: {\n auto_isolate_if_threat_score_exceeds: 75,\n alert_soc_if: [\n 'Threat score increases by 20+ points',\n 'Ransomware family identification confidence increases to HIGH',\n 'Mass file encryption begins',\n 'Shadow copy deletion detected'\n ]\n },\n \n status: 'MONITORING'\n};\n\nreturn { json: monitoringAlert };"
},
"typeVersion": 2
},
{
"id": "a6e6963e-9d75-4173-b0f4-bfd23c788955",
"name": "Notify SOC \u2014 Monitoring Alert",
"type": "n8n-nodes-base.slack",
"position": [
2960,
880
],
"parameters": {
"resource": "channel",
"channelId": {
"__rl": true,
"mode": "list",
"value": ""
}
},
"credentials": {
"slackApi": {
"name": "<your credential>"
}
},
"typeVersion": 2.2,
"continueOnFail": true
},
{
"id": "28349131-9b56-4d6e-a794-5aeaad113447",
"name": "Log Monitoring Alert",
"type": "n8n-nodes-base.googleSheets",
"position": [
3184,
880
],
"parameters": {
"columns": {
"value": {},
"schema": [],
"mappingMode": "autoMapInputData",
"matchingColumns": [],
"attemptToConvertTypes": false,
"convertFieldsToString": false
},
"options": {},
"operation": "append",
"sheetName": {
"__rl": true,
"mode": "id",
"value": "=Suspicious_Behavior_Monitoring"
},
"documentId": {
"__rl": true,
"mode": "id",
"value": "YOUR_GOOGLE_SHEET_ID"
},
"authentication": "serviceAccount"
},
"credentials": {
"googleApi": {
"name": "<your credential>"
}
},
"typeVersion": 4.5,
"continueOnFail": true
}
],
"active": false,
"settings": {
"executionOrder": "v1"
},
"versionId": "69bd2186-b5a4-477e-834b-a57bf149575c",
"connections": {
"Claude AI Model": {
"ai_languageModel": [
[
{
"node": "Claude AI Ransomware Threat Analysis",
"type": "ai_languageModel",
"index": 0
}
]
]
},
"Email Security Team": {
"main": [
[
{
"node": "Forward to SIEM (Splunk/Elastic)",
"type": "main",
"index": 0
}
]
]
},
"Enhanced Monitoring Mode": {
"main": [
[
{
"node": "Notify SOC \u2014 Monitoring Alert",
"type": "main",
"index": 0
}
]
]
},
"Execute System Isolation": {
"main": [
[
{
"node": "Terminate Encryption Process",
"type": "main",
"index": 0
}
]
]
},
"File System Event Stream": {
"main": [
[
{
"node": "Aggregate File Operations (30s Window)",
"type": "main",
"index": 0
}
]
]
},
"Capture Forensic Snapshot": {
"main": [
[
{
"node": "Execute System Isolation",
"type": "main",
"index": 0
}
]
]
},
"Confirm Isolation Required": {
"main": [
[
{
"node": "Capture Forensic Snapshot",
"type": "main",
"index": 0
}
]
]
},
"Parse AI Threat Assessment": {
"main": [
[
{
"node": "Threat Score >= 75? (Auto-Isolate Threshold)",
"type": "main",
"index": 0
}
]
]
},
"Trigger PagerDuty Incident": {
"main": [
[
{
"node": "Forward to SIEM (Splunk/Elastic)",
"type": "main",
"index": 0
}
]
]
},
"Wait for Batch Window (30s)": {
"main": [
[
{
"node": "Claude AI Ransomware Threat Analysis",
"type": "main",
"index": 0
}
]
]
},
"Terminate Encryption Process": {
"main": [
[
{
"node": "Alert SOC \u2014 Critical Ransomware Detection",
"type": "main",
"index": 0
},
{
"node": "Email Security Team",
"type": "main",
"index": 0
},
{
"node": "Trigger PagerDuty Incident",
"type": "main",
"index": 0
}
]
]
},
"Write to Isolation Audit Log": {
"main": [
[
{
"node": "Build Incident Response Summary",
"type": "main",
"index": 0
}
]
]
},
"Build Incident Response Summary": {
"main": [
[
{
"node": "Send Detection Response",
"type": "main",
"index": 0
}
]
]
},
"Notify SOC \u2014 Monitoring Alert": {
"main": [
[
{
"node": "Log Monitoring Alert",
"type": "main",
"index": 0
}
]
]
},
"Forward to SIEM (Splunk/Elastic)": {
"main": [
[
{
"node": "Write to Isolation Audit Log",
"type": "main",
"index": 0
}
]
]
},
"Claude AI Ransomware Threat Analysis": {
"main": [
[
{
"node": "Parse AI Threat Assessment",
"type": "main",
"index": 0
}
]
]
},
"Aggregate File Operations (30s Window)": {
"main": [
[
{
"node": "Wait for Batch Window (30s)",
"type": "main",
"index": 0
}
]
]
},
"Alert SOC \u2014 Critical Ransomware Detection": {
"main": [
[
{
"node": "Forward to SIEM (Splunk/Elastic)",
"type": "main",
"index": 0
}
]
]
},
"Threat Score >= 75? (Auto-Isolate Threshold)": {
"main": [
[
{
"node": "Confirm Isolation Required",
"type": "main",
"index": 0
}
],
[
{
"node": "Enhanced Monitoring Mode",
"type": "main",
"index": 0
}
]
]
}
}
}
Credentials you'll need
Each integration node will prompt for credentials when you import. We strip credential IDs before publishing — you'll add your own.
anthropicApigoogleApihttpHeaderAuthslackApismtp
Pro
For the full experience including quality scoring and batch install features for each workflow upgrade to Pro
About this workflow
This workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response. File System Monitoring - Continuously monitors file operations (create, modify, rename, delete) across critical directories…
Source: https://n8n.io/workflows/13706/ — original creator credit. Request a take-down →
Related workflows
Workflows that share integrations, category, or trigger type with this one. All free to copy and import.
This n8n workflow orchestrates a powerful suite of AI Agents and automations to manage and optimize various aspects of an e-commerce operation, particularly for platforms like Shopify. It leverages La
Google Sheets, HTTP Request, Slack +10
Fully automates your service order pipeline from incoming booking to supplier confirmation — with built-in SLA enforcement and automatic escalation if a supplier goes silent. 📥 Receives orders via web
HTTP Request, Google Sheets, Agent +4
This workflow automates comprehensive data validation and regulatory compliance reporting through intelligent AI-driven analysis. Designed for compliance officers, data governance teams, and regulator
Agent, Agent Tool, Anthropic Chat +5
Automatically transforms your travel photos and notes into beautiful journals, highlight reels, and review drafts using Claude's vision and language capabilities. Trip Completion Trigger - Webhook or
HTTP Request, Google Sheets, Agent +3
This workflow continuously monitors CVE databases, threat intelligence feeds, and public security advisories to surface emerging zero-day threats, correlates them against your registered infrastructur
Airtable, HTTP Request, Agent +3