Detect and isolate ransomware with Claude (Anthropic), EDR, SIEM and Slack

This workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.

How it works

File System Monitoring - Continuously monitors file operations (create, modify, rename, delete) across critical directories Behavior Pattern Collection - Aggregates file operation metrics in 30-second windows (entropy changes, extension changes, I/O velocity) AI Threat Analysis - Claude AI analyzes patterns against known ransomware behaviors (mass encryption, shadow copy deletion, etc.) Threat Scoring & Classification - Assigns threat scores (0-100) and classifies attack types (crypto-locker, wiper, etc.) Auto-Isolation Decision - Determines if immediate network isolation is required based on confidence thresholds System Quarantine - Executes automated isolation: disable network adapters, block shares, kill suspicious processes Forensic Snapshot - Captures system state, process tree, network connections, and file operation logs Incident Response Alert - Notifies SOC team with detailed threat intelligence and recommended actions Evidence Preservation - Stores forensic data and AI analysis in SIEM for investigation

Detection Capabilities

Entropy Analysis**: Detects high-entropy file creation (encrypted data signature) Extension Scanning**: Identifies suspicious extension changes (.docx → .locked, .encrypted, .crypted) I/O Velocity**: Flags abnormal file modification rates (>100 files/min) Shadow Copy Deletion**: Detects vssadmin.exe / wmic.exe shadow copy deletion attempts Ransom Note Detection**: Identifies README.txt, HOW_TO_DECRYPT.html creation patterns Lateral Movement**: Monitors SMB/RDP connection spikes from infected hosts Process Behavior**: Analyzes suspicious parent-child process relationships

Setup Steps

Import workflow into n8n Configure credentials: Anthropic API - Claude AI for threat analysis Windows Event Collector / Sysmon - File system event source EDR API (CrowdStrike/Defender/SentinelOne) - For isolation commands SIEM API (Splunk/Elastic) - For log forwarding Slack/PagerDuty - For SOC alerts Install file system watcher on monitored endpoints (sysmon, osquery, or auditd) Configure isolation thresholds (default: threat_score >= 75) Test isolation procedure in sandbox environment Activate workflow

Sample Detection Event { "hostname": "DESKTOP-WKS-042", "username": "jdoe", "timestamp": "2025-02-25T14:23:17Z", "detection_window_seconds": 30, "file_operations": { "files_modified": 247, "files_renamed": 189, "files_created": 58, "files_deleted": 31, "avg_entropy_increase": 7.89, "suspicious_extensions": [".locked", ".crypted", ".encrypted"], "ransom_notes_created": ["README_DECRYPT.txt", "HOW_TO_RECOVER.html"] }, "process_activity": { "high_io_processes": [ {"name": "explorer.exe", "pid": 4782, "io_rate": "523 ops/sec"}, {"name": "svchost.exe", "pid": 2194, "io_rate": "412 ops/sec"} ], "suspicious_commands": [ "vssadmin.exe delete shadows /all /quiet", "wmic shadowcopy delete", "bcdedit /set {default} recoveryenabled no" ] }, "network_activity": { "c2_connections": [ {"ip": "185.220.101.32", "port": 443, "country": "RU"}, {"ip": "194.165.16.85", "port": 8443, "country": "NL"} ], "lateral_movement": [ {"target": "FILE-SERVER-01", "protocol": "SMB", "status": "success"}, {"target": "DB-SERVER-03", "protocol": "RDP", "status": "failed"} ] } }

Threat Intelligence Sources MITRE ATT&CK Framework (T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery) Known ransomware families: LockBit, BlackCat/ALPHV, Royal, Play, Cl0p File extension IOCs from ransomware tracking feeds Behavioral signatures from recent campaigns

Compliance & Forensics Chain of Custody**: All isolation actions logged with timestamps and justifications NIST CSF Alignment**: DE.CM-7 (Monitoring for unauthorized activity), RS.MI-3 (Incident containment) Evidence Integrity**: Forensic snapshots include cryptographic hashes for court admissibility Post-Incident Review**: AI analysis archived for threat hunting and pattern improvement