{ "name": "Detect and isolate ransomware with Claude (Anthropic), EDR, SIEM and Slack", "nodes": [ { "id": "e5cb47f0-801e-4024-b9bb-6739dbe61534", "name": "Sticky Note", "type": "n8n-nodes-base.stickyNote", "position": [ 176, -336 ], "parameters": { "width": 900, "height": 1994, "content": "## AI Ransomware Early Warning System\n\nThis workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.\n\n### How it " } }, { "id": "aa56c195-6249-4bb9-97e3-1ff480f9a26e", "name": "Sticky Note 1", "type": "n8n-nodes-base.stickyNote", "position": [ 1168, 608 ], "parameters": { "width": 680, "height": 340, "content": "## 1. File System Monitoring & Event Collection" } }, { "id": "da72049b-50b2-4741-b09d-317179678a9e", "name": "Sticky Note 2", "type": "n8n-nodes-base.stickyNote", "position": [ 1904, 544 ], "parameters": { "width": 724, "height": 620, "content": "## 2. Behavior Aggregation + AI Threat Analysis" } }, { "id": "af03f0f2-99e6-458a-9755-bf94a600a56d", "name": "Sticky Note 3", "type": "n8n-nodes-base.stickyNote", "position": [ 2704, 544 ], "parameters": { "width": 820, "height": 540, "content": "## 3. Threat Scoring + Auto-Isolation Decision" } }, { "id": "0dcbfdd6-1b5a-4fcd-b6f5-11d360b5a0e6", "name": "Sticky Note 4", "type": "n8n-nodes-base.stickyNote", "position": [ 3568, 384 ], "parameters": { "width": 1192, "height": 720, "content": "## 4. System Isolation + Forensics + SOC Alert" } }, { "id": "8abfee30-adbf-402c-9571-8a99f402ff0e", "name": "File System Event Stream", "type": "n8n-nodes-base.webhook", "position": [ 1264, 784 ] }, { "id": "b88cdb13-01a8-44c5-947f-72f4b54bba97", "name": "Aggregate File Operations (30s Window)", "type": "n8n-nodes-base.code", "position": [ 1488, 784 ] }, { "id": "4ede8aa3-be5f-43d0-b8e8-244615303218", "name": "Wait for Batch Window (30s)", "type": "n8n-nodes-base.wait", "position": [ 1712, 784 ] }, { "id": "049047b7-e9ea-4432-9e4a-51f82b67e8cb", "name": "Claude AI Ransomware Threat Analysis", "type": "@n8n/n8n-nodes-langchain.agent", "position": [ 1936, 784 ] }, { "id": "33dac890-11e7-4bbb-9b27-31b25fa6c0d8", "name": "Claude AI Model", "type": "@n8n/n8n-nodes-langchain.lmChatAnthropic", "position": [ 2016, 1008 ] }, { "id": "c8d58737-1567-4e97-b49d-30f29bf510ea", "name": "Parse AI Threat Assessment", "type": "n8n-nodes-base.code", "position": [ 2288, 784 ] }, { "id": "1d640396-e79d-40aa-ba03-f285c678c4f8", "name": "Threat Score >= 75? (Auto-Isolate Threshold)", "type": "n8n-nodes-base.if", "position": [ 2512, 784 ] }, { "id": "a05b8e20-2774-41c0-a271-f6f810990d90", "name": "Confirm Isolation Required", "type": "n8n-nodes-base.if", "position": [ 2736, 688 ] }, { "id": "482eea79-1446-469f-990f-26f8e0241267", "name": "Capture Forensic Snapshot", "type": "n8n-nodes-base.httpRequest", "position": [ 2960, 688 ] }, { "id": "3eeb410a-2188-4899-90e2-f4085af95ca8", "name": "Execute System Isolation", "type": "n8n-nodes-base.httpRequest", "position": [ 3184, 688 ] }, { "id": "c263e2b3-01b7-44f8-85c8-92a77dfa32e6", "name": "Terminate Encryption Process", "type": "n8n-nodes-base.httpRequest", "position": [ 3408, 688 ] }, { "id": "db640fec-9431-46e5-85c4-10fe0956a4a7", "name": "Alert SOC — Critical Ransomware Detection", "type": "n8n-nodes-base.slack", "position": [ 3632, 496 ] }, { "id": "97f393b1-50d3-4b7f-a9e2-093507a8bc39", "name": "Email Security Team", "type": "n8n-nodes-base.emailSend", "position": [ 3632, 688 ] }, { "id": "538edce0-cb79-4b17-8b5c-8d12f375532b", "name": "Trigger PagerDuty Incident", "type": "n8n-nodes-base.httpRequest", "position": [ 3632, 880 ] }, { "id": "fdd155a2-06c7-4daa-b899-6c5c61f44442", "name": "Forward to SIEM (Splunk/Elastic)", "type": "n8n-nodes-base.httpRequest", "position": [ 3856, 592 ] }, { "id": "8775fc52-d7fe-48b7-8cdd-688d262bde6a", "name": "Write to Isolation Audit Log", "type": "n8n-nodes-base.googleSheets", "position": [ 4080, 592 ] }, { "id": "575c3fa5-810c-4c8f-b57b-c4f72aaeedb4", "name": "Build Incident Response Summary", "type": "n8n-nodes-base.code", "position": [ 4304, 592 ] }, { "id": "c53204b8-c6c1-4101-b7c2-bfb4dba3ba03", "name": "Send Detection Response", "type": "n8n-nodes-base.respondToWebhook", "position": [ 4528, 592 ] }, { "id": "10db99e1-44f2-486d-9a02-543fdf39ab19", "name": "Enhanced Monitoring Mode", "type": "n8n-nodes-base.code", "position": [ 2736, 880 ] }, { "id": "a6e6963e-9d75-4173-b0f4-bfd23c788955", "name": "Notify SOC — Monitoring Alert", "type": "n8n-nodes-base.slack", "position": [ 2960, 880 ] }, { "id": "28349131-9b56-4d6e-a794-5aeaad113447", "name": "Log Monitoring Alert", "type": "n8n-nodes-base.googleSheets", "position": [ 3184, 880 ] } ], "connections": { "Claude AI Model": { "ai_languageModel": [ [ { "node": "Claude AI Ransomware Threat Analysis", "type": "ai_languageModel", "index": 0 } ] ] }, "Email Security Team": { "main": [ [ { "node": "Forward to SIEM (Splunk/Elastic)", "type": "main", "index": 0 } ] ] }, "Enhanced Monitoring Mode": { "main": [ [ { "node": "Notify SOC — Monitoring Alert", "type": "main", "index": 0 } ] ] }, "Execute System Isolation": { "main": [ [ { "node": "Terminate Encryption Process", "type": "main", "index": 0 } ] ] }, "File System Event Stream": { "main": [ [ { "node": "Aggregate File Operations (30s Window)", "type": "main", "index": 0 } ] ] }, "Capture Forensic Snapshot": { "main": [ [ { "node": "Execute System Isolation", "type": "main", "index": 0 } ] ] }, "Confirm Isolation Required": { "main": [ [ { "node": "Capture Forensic Snapshot", "type": "main", "index": 0 } ] ] }, "Parse AI Threat Assessment": { "main": [ [ { "node": "Threat Score >= 75? (Auto-Isolate Threshold)", "type": "main", "index": 0 } ] ] }, "Trigger PagerDuty Incident": { "main": [ [ { "node": "Forward to SIEM (Splunk/Elastic)", "type": "main", "index": 0 } ] ] }, "Wait for Batch Window (30s)": { "main": [ [ { "node": "Claude AI Ransomware Threat Analysis", "type": "main", "index": 0 } ] ] }, "Terminate Encryption Process": { "main": [ [ { "node": "Alert SOC — Critical Ransomware Detection", "type": "main", "index": 0 }, { "node": "Email Security Team", "type": "main", "index": 0 }, { "node": "Trigger PagerDuty Incident", "type": "main", "index": 0 } ] ] }, "Write to Isolation Audit Log": { "main": [ [ { "node": "Build Incident Response Summary", "type": "main", "index": 0 } ] ] }, "Build Incident Response Summary": { "main": [ [ { "node": "Send Detection Response", "type": "main", "index": 0 } ] ] }, "Notify SOC — Monitoring Alert": { "main": [ [ { "node": "Log Monitoring Alert", "type": "main", "index": 0 } ] ] }, "Forward to SIEM (Splunk/Elastic)": { "main": [ [ { "node": "Write to Isolation Audit Log", "type": "main", "index": 0 } ] ] }, "Claude AI Ransomware Threat Analysis": { "main": [ [ { "node": "Parse AI Threat Assessment", "type": "main", "index": 0 } ] ] }, "Aggregate File Operations (30s Window)": { "main": [ [ { "node": "Wait for Batch Window (30s)", "type": "main", "index": 0 } ] ] }, "Alert SOC — Critical Ransomware Detection": { "main": [ [ { "node": "Forward to SIEM (Splunk/Elastic)", "type": "main", "index": 0 } ] ] }, "Threat Score >= 75? (Auto-Isolate Threshold)": { "main": [ [ { "node": "Confirm Isolation Required", "type": "main", "index": 0 } ], [ { "node": "Enhanced Monitoring Mode", "type": "main", "index": 0 } ] ] } } }