{ "name": "Automate cybersecurity incident response with Claude AI, VirusTotal and Slack", "nodes": [ { "id": "87291e5f-c3d5-466a-83a1-de7a7213833c", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ -336, 0 ], "parameters": { "width": 876, "height": 1220, "content": "## Cybersecurity Incident Response Automation with Claude AI\n\nThis workflow automates end-to-end cybersecurity incident response by ingesting alerts from multiple sources, enriching threat intelligenc" } }, { "id": "3c5bc9a7-7d64-4b00-bcf6-8e3d79486bbf", "name": "Sticky Note1", "type": "n8n-nodes-base.stickyNote", "position": [ 672, 512 ], "parameters": { "width": 440, "height": 328, "content": "## 1. Alert Ingestion & Normalization" } }, { "id": "4e96588f-1344-466f-a9b2-7f13ae0a402a", "name": "Sticky Note2", "type": "n8n-nodes-base.stickyNote", "position": [ 1210, 340 ], "parameters": { "width": 716, "height": 684, "content": "## 2. Threat Intelligence Enrichment" } }, { "id": "49feca99-89fb-470c-8014-883e4abdc3f1", "name": "Sticky Note3", "type": "n8n-nodes-base.stickyNote", "position": [ 1944, 548 ], "parameters": { "width": 720, "height": 284, "content": "## 3. AI Severity Assessment & Playbook" } }, { "id": "3dfedbe3-e986-4b82-8b6a-5fb23b748565", "name": "Sticky Note4", "type": "n8n-nodes-base.stickyNote", "position": [ 2688, 272 ], "parameters": { "width": 1332, "height": 828, "content": "## 4. Containment, Notification & Ticketing" } }, { "id": "a2161a2e-d428-453c-85c6-ce19d8b30491", "name": "Receive Security Alert", "type": "n8n-nodes-base.webhook", "position": [ 720, 672 ] }, { "id": "9f3a37eb-6e55-493e-8197-c342e31468b1", "name": "Normalize and Validate Alert", "type": "n8n-nodes-base.code", "position": [ 944, 672 ] }, { "id": "6e41f17e-d016-4a38-8199-589e37406213", "name": "Check IP on VirusTotal", "type": "n8n-nodes-base.httpRequest", "position": [ 1296, 480 ] }, { "id": "ac6cfdc6-3b7a-447f-aa04-5e1e9d6bac16", "name": "Check IP on AbuseIPDB", "type": "n8n-nodes-base.httpRequest", "position": [ 1296, 672 ] }, { "id": "055e3563-d369-4b85-b7a2-98027840115b", "name": "Lookup Host on Shodan", "type": "n8n-nodes-base.httpRequest", "position": [ 1296, 864 ] }, { "id": "30a307db-3d80-4ba5-8759-af013c51b534", "name": "Merge Threat Intelligence", "type": "n8n-nodes-base.merge", "position": [ 1520, 672 ] }, { "id": "e933942f-8e6b-440b-9adf-0fb70634bf4a", "name": "Combine Enrichment Data", "type": "n8n-nodes-base.code", "position": [ 1744, 672 ] }, { "id": "44879567-ed26-40bd-bcde-f5d2b7d7e278", "name": "Assess Severity with Claude AI", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ 1968, 672 ] }, { "id": "587a614a-3619-48ee-9aff-be85263de995", "name": "Claude AI Model", "type": "@n8n/n8n-nodes-langchain.lmChatAnthropic", "position": [ 2040, 896 ] }, { "id": "13b1ed17-d525-4cb3-8b00-19922a6eee68", "name": "Parse AI Assessment", "type": "n8n-nodes-base.code", "position": [ 2320, 672 ] }, { "id": "42cd014f-9347-41db-8538-be5284179da6", "name": "Check Severity for Auto-Containment", "type": "n8n-nodes-base.if", "position": [ 2544, 672 ] }, { "id": "0d4cfc9b-7215-4b30-917d-563c4b7e42c2", "name": "Block Malicious IP on Firewall", "type": "n8n-nodes-base.httpRequest", "position": [ 2768, 384 ] }, { "id": "b262e14b-1082-4436-bd03-44df626ca148", "name": "Isolate Affected Host via EDR", "type": "n8n-nodes-base.httpRequest", "position": [ 2768, 672 ] }, { "id": "d23ef0a4-a970-4569-8794-deddbc19e571", "name": "Revoke User Tokens and Sessions", "type": "n8n-nodes-base.httpRequest", "position": [ 2768, 960 ] }, { "id": "84aa8a76-5002-4bdb-8633-d0cfe9172329", "name": "Notify SOC Team on Slack", "type": "n8n-nodes-base.httpRequest", "position": [ 2992, 464 ] }, { "id": "fed148a8-b3b9-4035-a4a3-f95d70973808", "name": "Create Incident Ticket in Jira", "type": "n8n-nodes-base.httpRequest", "position": [ 2992, 816 ] }, { "id": "8c38991d-dd66-4350-935e-a62599d387b9", "name": "Build Final Incident Report", "type": "n8n-nodes-base.code", "position": [ 3216, 600 ] }, { "id": "2a25c98d-62f1-4622-ac2a-49d13d24e7f4", "name": "Write Compliance Audit Log", "type": "n8n-nodes-base.googleSheets", "position": [ 3440, 600 ] }, { "id": "b1c1d7ae-abb6-43f1-a340-6f93f8223222", "name": "Send Incident Response to Caller", "type": "n8n-nodes-base.respondToWebhook", "position": [ 3664, 600 ] } ], "connections": { "Claude AI Model": { "ai_languageModel": [ [ { "node": "Assess Severity with Claude AI", "type": "ai_languageModel", "index": 0 } ] ] }, "Parse AI Assessment": { "main": [ [ { "node": "Check Severity for Auto-Containment", "type": "main", "index": 0 } ] ] }, "Check IP on AbuseIPDB": { "main": [ [ { "node": "Merge Threat Intelligence", "type": "main", "index": 1 } ] ] }, "Lookup Host on Shodan": { "main": [ [ { "node": "Merge Threat Intelligence", "type": "main", "index": 1 } ] ] }, "Check IP on VirusTotal": { "main": [ [ { "node": "Merge Threat Intelligence", "type": "main", "index": 0 } ] ] }, "Receive Security Alert": { "main": [ [ { "node": "Normalize and Validate Alert", "type": "main", "index": 0 } ] ] }, "Combine Enrichment Data": { "main": [ [ { "node": "Assess Severity with Claude AI", "type": "main", "index": 0 } ] ] }, "Notify SOC Team on Slack": { "main": [ [ { "node": "Build Final Incident Report", "type": "main", "index": 0 } ] ] }, "Merge Threat Intelligence": { "main": [ [ { "node": "Combine Enrichment Data", "type": "main", "index": 0 } ] ] }, "Write Compliance Audit Log": { "main": [ [ { "node": "Send Incident Response to Caller", "type": "main", "index": 0 } ] ] }, "Build Final Incident Report": { "main": [ [ { "node": "Write Compliance Audit Log", "type": "main", "index": 0 } ] ] }, "Normalize and Validate Alert": { "main": [ [ { "node": "Check IP on VirusTotal", "type": "main", "index": 0 }, { "node": "Check IP on AbuseIPDB", "type": "main", "index": 0 }, { "node": "Lookup Host on Shodan", "type": "main", "index": 0 } ] ] }, "Isolate Affected Host via EDR": { "main": [ [ { "node": "Create Incident Ticket in Jira", "type": "main", "index": 0 } ] ] }, "Assess Severity with Claude AI": { "main": [ [ { "node": "Parse AI Assessment", "type": "main", "index": 0 } ] ] }, "Block Malicious IP on Firewall": { "main": [ [ { "node": "Notify SOC Team on Slack", "type": "main", "index": 0 } ] ] }, "Create Incident Ticket in Jira": { "main": [ [ { "node": "Build Final Incident Report", "type": "main", "index": 0 } ] ] }, "Revoke User Tokens and Sessions": { "main": [ [ { "node": "Create Incident Ticket in Jira", "type": "main", "index": 0 } ] ] }, "Check Severity for Auto-Containment": { "main": [ [ { "node": "Block Malicious IP on Firewall", "type": "main", "index": 0 }, { "node": "Isolate Affected Host via EDR", "type": "main", "index": 0 }, { "node": "Revoke User Tokens and Sessions", "type": "main", "index": 0 } ], [ { "node": "Notify SOC Team on Slack", "type": "main", "index": 0 }, { "node": "Create Incident Ticket in Jira", "type": "main", "index": 0 } ] ] } } }