{"workflow":{"id":13706,"name":"Detect and isolate ransomware with Claude (Anthropic), EDR, SIEM and Slack","views":76,"recentViews":1,"totalViews":76,"createdAt":"2026-02-25T12:48:53.219Z","description":"This workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.\n\n### How it works\n\n1. **File System Monitoring** - Continuously monitors file operations (create, modify, rename, delete) across critical directories\n2. **Behavior Pattern Collection** - Aggregates file operation metrics in 30-second windows (entropy changes, extension changes, I/O velocity)\n3. **AI Threat Analysis** - Claude AI analyzes patterns against known ransomware behaviors (mass encryption, shadow copy deletion, etc.)\n4. **Threat Scoring & Classification** - Assigns threat scores (0-100) and classifies attack types (crypto-locker, wiper, etc.)\n5. **Auto-Isolation Decision** - Determines if immediate network isolation is required based on confidence thresholds\n6. **System Quarantine** - Executes automated isolation: disable network adapters, block shares, kill suspicious processes\n7. **Forensic Snapshot** - Captures system state, process tree, network connections, and file operation logs\n8. **Incident Response Alert** - Notifies SOC team with detailed threat intelligence and recommended actions\n9. **Evidence Preservation** - Stores forensic data and AI analysis in SIEM for investigation\n\n### Detection Capabilities\n\n- **Entropy Analysis**: Detects high-entropy file creation (encrypted data signature)\n- **Extension Scanning**: Identifies suspicious extension changes (.docx → .locked, .encrypted, .crypted)\n- **I/O Velocity**: Flags abnormal file modification rates (>100 files/min)\n- **Shadow Copy Deletion**: Detects vssadmin.exe / wmic.exe shadow copy deletion attempts\n- **Ransom Note Detection**: Identifies README.txt, HOW_TO_DECRYPT.html creation patterns\n- **Lateral Movement**: Monitors SMB/RDP connection spikes from infected hosts\n- **Process Behavior**: Analyzes suspicious parent-child process relationships\n\n### Setup Steps\n\n1. Import workflow into n8n\n2. Configure credentials:\n   - **Anthropic API** - Claude AI for threat analysis\n   - **Windows Event Collector / Sysmon** - File system event source\n   - **EDR API** (CrowdStrike/Defender/SentinelOne) - For isolation commands\n   - **SIEM API** (Splunk/Elastic) - For log forwarding\n   - **Slack/PagerDuty** - For SOC alerts\n3. Install file system watcher on monitored endpoints (sysmon, osquery, or auditd)\n4. Configure isolation thresholds (default: threat_score >= 75)\n5. Test isolation procedure in sandbox environment\n6. Activate workflow\n\n### Sample Detection Event\n```json\n{\n  \"hostname\": \"DESKTOP-WKS-042\",\n  \"username\": \"jdoe\",\n  \"timestamp\": \"2025-02-25T14:23:17Z\",\n  \"detection_window_seconds\": 30,\n  \"file_operations\": {\n    \"files_modified\": 247,\n    \"files_renamed\": 189,\n    \"files_created\": 58,\n    \"files_deleted\": 31,\n    \"avg_entropy_increase\": 7.89,\n    \"suspicious_extensions\": [\".locked\", \".crypted\", \".encrypted\"],\n    \"ransom_notes_created\": [\"README_DECRYPT.txt\", \"HOW_TO_RECOVER.html\"]\n  },\n  \"process_activity\": {\n    \"high_io_processes\": [\n      {\"name\": \"explorer.exe\", \"pid\": 4782, \"io_rate\": \"523 ops/sec\"},\n      {\"name\": \"svchost.exe\", \"pid\": 2194, \"io_rate\": \"412 ops/sec\"}\n    ],\n    \"suspicious_commands\": [\n      \"vssadmin.exe delete shadows /all /quiet\",\n      \"wmic shadowcopy delete\",\n      \"bcdedit /set {default} recoveryenabled no\"\n    ]\n  },\n  \"network_activity\": {\n    \"c2_connections\": [\n      {\"ip\": \"185.220.101.32\", \"port\": 443, \"country\": \"RU\"},\n      {\"ip\": \"194.165.16.85\", \"port\": 8443, \"country\": \"NL\"}\n    ],\n    \"lateral_movement\": [\n      {\"target\": \"FILE-SERVER-01\", \"protocol\": \"SMB\", \"status\": \"success\"},\n      {\"target\": \"DB-SERVER-03\", \"protocol\": \"RDP\", \"status\": \"failed\"}\n    ]\n  }\n}\n```\n\n### Threat Intelligence Sources\n- MITRE ATT&CK Framework (T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery)\n- Known ransomware families: LockBit, BlackCat/ALPHV, Royal, Play, Cl0p\n- File extension IOCs from ransomware tracking feeds\n- Behavioral signatures from recent campaigns\n\n### Compliance & Forensics\n- **Chain of Custody**: All isolation actions logged with timestamps and justifications\n- **NIST CSF Alignment**: DE.CM-7 (Monitoring for unauthorized activity), RS.MI-3 (Incident containment)\n- **Evidence Integrity**: Forensic snapshots include cryptographic hashes for court admissibility\n- **Post-Incident Review**: AI analysis archived for threat hunting and pattern improvement","workflow":{"id":"IgdddfLCX52CIPYI","meta":{"instanceId":"dd69efaf8212c74ad206700d104739d3329588a6f3f8381a46a481f34c9cc281","templateCredsSetupCompleted":true},"name":"AI Ransomware Early Warning System","tags":[],"nodes":[{"id":"e5cb47f0-801e-4024-b9bb-6739dbe61534","name":"Sticky Note","type":"n8n-nodes-base.stickyNote","position":[176,-336],"parameters":{"width":900,"height":1994,"content":"## AI Ransomware Early Warning System\n\nThis workflow provides real-time detection of ransomware encryption patterns using Claude AI, with automated system isolation and incident response.\n\n### How it works\n\n1. **File System Monitoring** - Continuously monitors file operations (create, modify, rename, delete) across critical directories\n2. **Behavior Pattern Collection** - Aggregates file operation metrics in 30-second windows (entropy changes, extension changes, I/O velocity)\n3. **AI Threat Analysis** - Claude AI analyzes patterns against known ransomware behaviors (mass encryption, shadow copy deletion, etc.)\n4. **Threat Scoring & Classification** - Assigns threat scores (0-100) and classifies attack types (crypto-locker, wiper, etc.)\n5. **Auto-Isolation Decision** - Determines if immediate network isolation is required based on confidence thresholds\n6. **System Quarantine** - Executes automated isolation: disable network adapters, block shares, kill suspicious processes\n7. **Forensic Snapshot** - Captures system state, process tree, network connections, and file operation logs\n8. **Incident Response Alert** - Notifies SOC team with detailed threat intelligence and recommended actions\n9. **Evidence Preservation** - Stores forensic data and AI analysis in SIEM for investigation\n\n### Detection Capabilities\n\n- **Entropy Analysis**: Detects high-entropy file creation (encrypted data signature)\n- **Extension Scanning**: Identifies suspicious extension changes (.docx → .locked, .encrypted, .crypted)\n- **I/O Velocity**: Flags abnormal file modification rates (>100 files/min)\n- **Shadow Copy Deletion**: Detects vssadmin.exe / wmic.exe shadow copy deletion attempts\n- **Ransom Note Detection**: Identifies README.txt, HOW_TO_DECRYPT.html creation patterns\n- **Lateral Movement**: Monitors SMB/RDP connection spikes from infected hosts\n- **Process Behavior**: Analyzes suspicious parent-child process relationships\n\n### Setup Steps\n\n1. Import workflow into n8n\n2. Configure credentials:\n   - **Anthropic API** - Claude AI for threat analysis\n   - **Windows Event Collector / Sysmon** - File system event source\n   - **EDR API** (CrowdStrike/Defender/SentinelOne) - For isolation commands\n   - **SIEM API** (Splunk/Elastic) - For log forwarding\n   - **Slack/PagerDuty** - For SOC alerts\n3. Install file system watcher on monitored endpoints (sysmon, osquery, or auditd)\n4. Configure isolation thresholds (default: threat_score >= 75)\n5. Test isolation procedure in sandbox environment\n6. Activate workflow\n\n### Sample Detection Event\n```json\n{\n  \"hostname\": \"DESKTOP-WKS-042\",\n  \"username\": \"jdoe\",\n  \"timestamp\": \"2025-02-25T14:23:17Z\",\n  \"detection_window_seconds\": 30,\n  \"file_operations\": {\n    \"files_modified\": 247,\n    \"files_renamed\": 189,\n    \"files_created\": 58,\n    \"files_deleted\": 31,\n    \"avg_entropy_increase\": 7.89,\n    \"suspicious_extensions\": [\".locked\", \".crypted\", \".encrypted\"],\n    \"ransom_notes_created\": [\"README_DECRYPT.txt\", \"HOW_TO_RECOVER.html\"]\n  },\n  \"process_activity\": {\n    \"high_io_processes\": [\n      {\"name\": \"explorer.exe\", \"pid\": 4782, \"io_rate\": \"523 ops/sec\"},\n      {\"name\": \"svchost.exe\", \"pid\": 2194, \"io_rate\": \"412 ops/sec\"}\n    ],\n    \"suspicious_commands\": [\n      \"vssadmin.exe delete shadows /all /quiet\",\n      \"wmic shadowcopy delete\",\n      \"bcdedit /set {default} recoveryenabled no\"\n    ]\n  },\n  \"network_activity\": {\n    \"c2_connections\": [\n      {\"ip\": \"185.220.101.32\", \"port\": 443, \"country\": \"RU\"},\n      {\"ip\": \"194.165.16.85\", \"port\": 8443, \"country\": \"NL\"}\n    ],\n    \"lateral_movement\": [\n      {\"target\": \"FILE-SERVER-01\", \"protocol\": \"SMB\", \"status\": \"success\"},\n      {\"target\": \"DB-SERVER-03\", \"protocol\": \"RDP\", \"status\": \"failed\"}\n    ]\n  }\n}\n```\n\n### Threat Intelligence Sources\n- MITRE ATT&CK Framework (T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery)\n- Known ransomware families: LockBit, BlackCat/ALPHV, Royal, Play, Cl0p\n- File extension IOCs from ransomware tracking feeds\n- Behavioral signatures from recent campaigns\n\n### Compliance & Forensics\n- **Chain of Custody**: All isolation actions logged with timestamps and justifications\n- **NIST CSF Alignment**: DE.CM-7 (Monitoring for unauthorized activity), RS.MI-3 (Incident containment)\n- **Evidence Integrity**: Forensic snapshots include cryptographic hashes for court admissibility\n- **Post-Incident Review**: AI analysis archived for threat hunting and pattern improvement"},"typeVersion":1},{"id":"aa56c195-6249-4bb9-97e3-1ff480f9a26e","name":"Sticky Note 1","type":"n8n-nodes-base.stickyNote","position":[1168,608],"parameters":{"color":6,"width":680,"height":340,"content":"## 1. File System Monitoring & Event Collection"},"typeVersion":1},{"id":"da72049b-50b2-4741-b09d-317179678a9e","name":"Sticky Note 2","type":"n8n-nodes-base.stickyNote","position":[1904,544],"parameters":{"color":6,"width":724,"height":620,"content":"## 2. Behavior Aggregation + AI Threat Analysis"},"typeVersion":1},{"id":"af03f0f2-99e6-458a-9755-bf94a600a56d","name":"Sticky Note 3","type":"n8n-nodes-base.stickyNote","position":[2704,544],"parameters":{"color":6,"width":820,"height":540,"content":"## 3. Threat Scoring + Auto-Isolation Decision"},"typeVersion":1},{"id":"0dcbfdd6-1b5a-4fcd-b6f5-11d360b5a0e6","name":"Sticky Note 4","type":"n8n-nodes-base.stickyNote","position":[3568,384],"parameters":{"color":6,"width":1192,"height":720,"content":"## 4. System Isolation + Forensics + SOC Alert"},"typeVersion":1},{"id":"8abfee30-adbf-402c-9571-8a99f402ff0e","name":"File System Event Stream","type":"n8n-nodes-base.webhook","position":[1264,784],"webhookId":"ransomware-fs-monitor","parameters":{"path":"ransomware/file-events","options":{},"httpMethod":"POST","responseMode":"lastNode"},"typeVersion":2},{"id":"b88cdb13-01a8-44c5-947f-72f4b54bba97","name":"Aggregate File Operations (30s Window)","type":"n8n-nodes-base.code","position":[1488,784],"parameters":{"mode":"runOnceForEachItem","jsCode":"// Aggregate file system events in 30-second sliding window\nconst events = $input.item.json.events || [$input.item.json];\n\n// Initialize aggregation metrics\nconst metrics = {\n  hostname: events[0].hostname || 'UNKNOWN',\n  username: events[0].username || 'UNKNOWN',\n  detection_window_start: new Date(Date.now() - 30000).toISOString(),\n  detection_window_end: new Date().toISOString(),\n  detection_window_seconds: 30,\n  \n  file_operations: {\n    total_operations: events.length,\n    files_created: 0,\n    files_modified: 0,\n    files_renamed: 0,\n    files_deleted: 0,\n    avg_file_size_bytes: 0,\n    total_bytes_written: 0,\n    operations_per_second: 0,\n    unique_directories_affected: new Set(),\n    file_extensions_changed: [],\n    suspicious_extensions: [],\n    ransom_notes_created: [],\n    entropy_analysis: {\n      high_entropy_files: 0,\n      avg_entropy: 0,\n      entropy_increase_count: 0\n    }\n  },\n  \n  process_activity: {\n    unique_processes: new Set(),\n    high_io_processes: [],\n    suspicious_commands: [],\n    parent_child_chains: []\n  },\n  \n  network_activity: {\n    c2_connections: [],\n    lateral_movement: [],\n    smb_connections: 0,\n    rdp_connections: 0\n  },\n  \n  system_changes: {\n    shadow_copy_deletions: false,\n    boot_config_modifications: false,\n    registry_modifications: [],\n    service_installations: []\n  }\n};\n\n// Known ransomware extensions\nconst ransomwareExtensions = [\n  '.locked', '.encrypted', '.crypted', '.crypto', '.crypt', '.enc',\n  '.lockbit', '.blackcat', '.royal', '.play', '.alphv', '.cl0p',\n  '.cerber', '.locky', '.wannacry', '.petya', '.ryuk', '.maze'\n];\n\n// Known ransom note patterns\nconst ransomNotePatterns = [\n  'README', 'HOW_TO_DECRYPT', 'DECRYPT_INSTRUCTIONS', 'RECOVERY',\n  'YOUR_FILES', 'LOCKED', 'ENCRYPTED', 'RANSOM'\n];\n\n// Suspicious command patterns\nconst suspiciousCommands = [\n  'vssadmin.exe delete shadows',\n  'wmic shadowcopy delete',\n  'bcdedit /set {default} recoveryenabled no',\n  'bcdedit /set {default} bootstatuspolicy ignoreallfailures',\n  'wbadmin delete catalog',\n  'cipher /w:',\n  'del /s /f /q'\n];\n\n// Process each file system event\nlet totalEntropy = 0;\nlet totalFileSize = 0;\n\nevents.forEach(event => {\n  // Count operation types\n  switch (event.operation?.toLowerCase()) {\n    case 'create':\n    case 'created':\n      metrics.file_operations.files_created++;\n      break;\n    case 'modify':\n    case 'modified':\n    case 'write':\n      metrics.file_operations.files_modified++;\n      break;\n    case 'rename':\n    case 'renamed':\n      metrics.file_operations.files_renamed++;\n      \n      // Check for suspicious extension changes\n      const oldExt = event.old_path?.split('.').pop()?.toLowerCase();\n      const newExt = event.new_path?.split('.').pop()?.toLowerCase();\n      if (oldExt && newExt && oldExt !== newExt) {\n        metrics.file_operations.file_extensions_changed.push({\n          from: oldExt,\n          to: newExt,\n          path: event.new_path\n        });\n        \n        if (ransomwareExtensions.includes(`.${newExt}`)) {\n          metrics.file_operations.suspicious_extensions.push(`.${newExt}`);\n        }\n      }\n      break;\n    case 'delete':\n    case 'deleted':\n      metrics.file_operations.files_deleted++;\n      break;\n  }\n  \n  // Track directories\n  const directory = event.path?.split('/').slice(0, -1).join('/') || \n                   event.path?.split('\\\\').slice(0, -1).join('\\\\');\n  if (directory) {\n    metrics.file_operations.unique_directories_affected.add(directory);\n  }\n  \n  // Check for ransom notes\n  const filename = event.path?.split('/').pop() || event.path?.split('\\\\').pop() || '';\n  const filenameUpper = filename.toUpperCase();\n  if (ransomNotePatterns.some(pattern => filenameUpper.includes(pattern)) &&\n      (filename.endsWith('.txt') || filename.endsWith('.html') || filename.endsWith('.hta'))) {\n    metrics.file_operations.ransom_notes_created.push(filename);\n  }\n  \n  // Entropy analysis (high entropy = encrypted data)\n  if (event.entropy !== undefined) {\n    totalEntropy += event.entropy;\n    if (event.entropy > 7.5) {\n      metrics.file_operations.entropy_analysis.high_entropy_files++;\n    }\n    if (event.entropy_increase && event.entropy_increase > 1.0) {\n      metrics.file_operations.entropy_analysis.entropy_increase_count++;\n    }\n  }\n  \n  // File size tracking\n  if (event.size_bytes) {\n    totalFileSize += event.size_bytes;\n    metrics.file_operations.total_bytes_written += event.size_bytes;\n  }\n  \n  // Process tracking\n  if (event.process_name) {\n    metrics.process_activity.unique_processes.add(event.process_name);\n    \n    // Track high I/O processes\n    const existingProcess = metrics.process_activity.high_io_processes\n      .find(p => p.pid === event.process_id);\n    if (existingProcess) {\n      existingProcess.operation_count++;\n    } else if (event.io_rate_ops_per_sec > 100) {\n      metrics.process_activity.high_io_processes.push({\n        name: event.process_name,\n        pid: event.process_id,\n        operation_count: 1,\n        io_rate: `${event.io_rate_ops_per_sec} ops/sec`\n      });\n    }\n  }\n  \n  // Command line analysis\n  if (event.command_line) {\n    suspiciousCommands.forEach(pattern => {\n      if (event.command_line.toLowerCase().includes(pattern.toLowerCase())) {\n        metrics.process_activity.suspicious_commands.push(event.command_line);\n        \n        // Flag system changes\n        if (pattern.includes('vssadmin') || pattern.includes('shadowcopy')) {\n          metrics.system_changes.shadow_copy_deletions = true;\n        }\n        if (pattern.includes('bcdedit')) {\n          metrics.system_changes.boot_config_modifications = true;\n        }\n      }\n    });\n  }\n  \n  // Network activity\n  if (event.network_connection) {\n    if (event.network_connection.protocol === 'SMB') {\n      metrics.network_activity.smb_connections++;\n      if (event.network_connection.target_host) {\n        metrics.network_activity.lateral_movement.push({\n          target: event.network_connection.target_host,\n          protocol: 'SMB',\n          status: event.network_connection.status || 'unknown'\n        });\n      }\n    }\n    if (event.network_connection.protocol === 'RDP') {\n      metrics.network_activity.rdp_connections++;\n    }\n    \n    // Check for C2 connections (external IPs)\n    if (event.network_connection.remote_ip && \n        !event.network_connection.remote_ip.startsWith('10.') &&\n        !event.network_connection.remote_ip.startsWith('192.168.') &&\n        !event.network_connection.remote_ip.startsWith('172.16.')) {\n      metrics.network_activity.c2_connections.push({\n        ip: event.network_connection.remote_ip,\n        port: event.network_connection.remote_port,\n        country: event.network_connection.country || 'Unknown'\n      });\n    }\n  }\n});\n\n// Calculate averages and rates\nif (events.length > 0) {\n  metrics.file_operations.avg_file_size_bytes = Math.round(totalFileSize / events.length);\n  metrics.file_operations.operations_per_second = parseFloat((events.length / 30).toFixed(2));\n  metrics.file_operations.entropy_analysis.avg_entropy = parseFloat(\n    (totalEntropy / events.length).toFixed(2)\n  );\n}\n\n// Convert Sets to Arrays for JSON serialization\nmetrics.file_operations.unique_directories_affected = \n  Array.from(metrics.file_operations.unique_directories_affected);\nmetrics.process_activity.unique_processes = \n  Array.from(metrics.process_activity.unique_processes);\n\n// Remove duplicates\nmetrics.file_operations.suspicious_extensions = \n  [...new Set(metrics.file_operations.suspicious_extensions)];\nmetrics.process_activity.suspicious_commands = \n  [...new Set(metrics.process_activity.suspicious_commands)];\nmetrics.network_activity.c2_connections = \n  metrics.network_activity.c2_connections.filter((conn, index, self) =>\n    index === self.findIndex(c => c.ip === conn.ip && c.port === conn.port)\n  );\n\n// Calculate initial risk indicators\nconst risk_indicators = {\n  high_entropy_file_ratio: events.length > 0 ? \n    parseFloat((metrics.file_operations.entropy_analysis.high_entropy_files / events.length).toFixed(2)) : 0,\n  rapid_file_modification: metrics.file_operations.operations_per_second > 8,\n  suspicious_extension_detected: metrics.file_operations.suspicious_extensions.length > 0,\n  ransom_note_detected: metrics.file_operations.ransom_notes_created.length > 0,\n  shadow_copy_deletion: metrics.system_changes.shadow_copy_deletions,\n  lateral_movement_detected: metrics.network_activity.lateral_movement.length > 0,\n  c2_communication: metrics.network_activity.c2_connections.length > 0\n};\n\nmetrics.risk_indicators = risk_indicators;\nmetrics.aggregation_timestamp = new Date().toISOString();\nmetrics.requires_ai_analysis = \n  risk_indicators.rapid_file_modification ||\n  risk_indicators.suspicious_extension_detected ||\n  risk_indicators.ransom_note_detected ||\n  risk_indicators.shadow_copy_deletion;\n\nreturn { json: { behaviorMetrics: metrics } };"},"typeVersion":2},{"id":"4ede8aa3-be5f-43d0-b8e8-244615303218","name":"Wait for Batch Window (30s)","type":"n8n-nodes-base.wait","position":[1712,784],"webhookId":"wait-batch-window","parameters":{"resume":"webhook","options":{}},"typeVersion":1.1},{"id":"049047b7-e9ea-4432-9e4a-51f82b67e8cb","name":"Claude AI Ransomware Threat Analysis","type":"@n8n/n8n-nodes-langchain.agent","position":[1936,784],"parameters":{"text":"=You are a senior cybersecurity analyst and ransomware detection specialist with expertise in MITRE ATT&CK framework, digital forensics, and behavioral threat analysis.\n\nAnalyze this file system behavior pattern and determine if it indicates active ransomware encryption.\n\n**System Information:**\n- Hostname: {{ $json.behaviorMetrics.hostname }}\n- Username: {{ $json.behaviorMetrics.username }}\n- Detection Window: {{ $json.behaviorMetrics.detection_window_seconds }}s\n- Timestamp: {{ $json.behaviorMetrics.detection_window_end }}\n\n**File Operations (30-second window):**\n- Total Operations: {{ $json.behaviorMetrics.file_operations.total_operations }}\n- Files Created: {{ $json.behaviorMetrics.file_operations.files_created }}\n- Files Modified: {{ $json.behaviorMetrics.file_operations.files_modified }}\n- Files Renamed: {{ $json.behaviorMetrics.file_operations.files_renamed }}\n- Files Deleted: {{ $json.behaviorMetrics.file_operations.files_deleted }}\n- Operations per Second: {{ $json.behaviorMetrics.file_operations.operations_per_second }}\n- Unique Directories: {{ $json.behaviorMetrics.file_operations.unique_directories_affected.length }}\n- Total Bytes Written: {{ $json.behaviorMetrics.file_operations.total_bytes_written }}\n\n**Extension Analysis:**\n- Extensions Changed: {{ JSON.stringify($json.behaviorMetrics.file_operations.file_extensions_changed) }}\n- Suspicious Extensions Detected: {{ JSON.stringify($json.behaviorMetrics.file_operations.suspicious_extensions) }}\n- Ransom Notes Created: {{ JSON.stringify($json.behaviorMetrics.file_operations.ransom_notes_created) }}\n\n**Entropy Analysis (Encryption Indicator):**\n- High Entropy Files (>7.5): {{ $json.behaviorMetrics.file_operations.entropy_analysis.high_entropy_files }}\n- Average Entropy: {{ $json.behaviorMetrics.file_operations.entropy_analysis.avg_entropy }}\n- Entropy Increase Events: {{ $json.behaviorMetrics.file_operations.entropy_analysis.entropy_increase_count }}\n\n**Process Activity:**\n- Active Processes: {{ JSON.stringify($json.behaviorMetrics.process_activity.unique_processes) }}\n- High I/O Processes: {{ JSON.stringify($json.behaviorMetrics.process_activity.high_io_processes) }}\n- Suspicious Commands Executed: {{ JSON.stringify($json.behaviorMetrics.process_activity.suspicious_commands) }}\n\n**System Changes:**\n- Shadow Copy Deletion Detected: {{ $json.behaviorMetrics.system_changes.shadow_copy_deletions }}\n- Boot Config Modified: {{ $json.behaviorMetrics.system_changes.boot_config_modifications }}\n\n**Network Activity:**\n- C2 Connections: {{ JSON.stringify($json.behaviorMetrics.network_activity.c2_connections) }}\n- Lateral Movement Attempts: {{ JSON.stringify($json.behaviorMetrics.network_activity.lateral_movement) }}\n- SMB Connections: {{ $json.behaviorMetrics.network_activity.smb_connections }}\n\n**Risk Indicators:**\n{{ JSON.stringify($json.behaviorMetrics.risk_indicators, null, 2) }}\n\n**Analysis Requirements:**\n1. Assess threat level (0-100) based on behavioral indicators\n2. Classify attack type (crypto-locker, wiper, ransomware-as-a-service, or false positive)\n3. Identify ransomware family if possible (LockBit, BlackCat, Royal, Play, etc.)\n4. Determine confidence level (HIGH/MEDIUM/LOW)\n5. Recommend immediate action (ISOLATE_IMMEDIATELY, MONITOR_CLOSELY, or NO_ACTION)\n6. Map to MITRE ATT&CK techniques\n7. Provide forensic indicators for investigation\n\n**Response Format (JSON only, no markdown):**\n{\n  \"threat_assessment\": {\n    \"is_ransomware\": true,\n    \"threat_score\": 85,\n    \"confidence_level\": \"HIGH\",\n    \"threat_classification\": \"CRYPTO_LOCKER_RANSOMWARE\",\n    \"severity\": \"CRITICAL\"\n  },\n  \"ransomware_family\": {\n    \"suspected_family\": \"LockBit 3.0\",\n    \"family_confidence\": \"MEDIUM\",\n    \"indicators_matched\": [\"shadow copy deletion\", \"high entropy files\", \".locked extension\"]\n  },\n  \"behavioral_analysis\": {\n    \"encryption_behavior_detected\": true,\n    \"mass_file_modification\": true,\n    \"system_recovery_sabotage\": true,\n    \"lateral_movement_attempts\": false,\n    \"c2_communication\": true,\n    \"ransom_note_deployment\": true\n  },\n  \"mitre_attack_techniques\": [\n    \"T1486 - Data Encrypted for Impact\",\n    \"T1490 - Inhibit System Recovery\",\n    \"T1059 - Command and Scripting Interpreter\",\n    \"T1105 - Ingress Tool Transfer\"\n  ],\n  \"forensic_indicators\": {\n    \"file_markers\": [\"list of suspicious files or patterns\"],\n    \"process_markers\": [\"suspicious process names or command lines\"],\n    \"network_markers\": [\"C2 IPs or domains\"],\n    \"registry_markers\": [\"persistence mechanisms\"]\n  },\n  \"attack_timeline\": {\n    \"infection_vector\": \"suspected phishing email or exploit\",\n    \"initial_compromise_estimate\": \"ISO timestamp estimate\",\n    \"encryption_start_time\": \"ISO timestamp\",\n    \"current_stage\": \"active encryption phase\"\n  },\n  \"impact_assessment\": {\n    \"files_encrypted_estimated\": 247,\n    \"directories_affected\": 15,\n    \"data_loss_risk\": \"HIGH\",\n    \"business_impact\": \"CRITICAL - Production data encryption in progress\"\n  },\n  \"recommended_action\": \"ISOLATE_IMMEDIATELY\",\n  \"isolation_justification\": \"Active encryption detected with high confidence. Immediate network isolation required to prevent spread.\",\n  \"containment_priority\": \"IMMEDIATE\",\n  \"investigation_priority_actions\": [\n    \"Isolate host from network\",\n    \"Kill encryption process\",\n    \"Preserve memory dump\",\n    \"Collect network traffic logs\",\n    \"Check for lateral movement\"\n  ],\n  \"false_positive_probability\": 0.05,\n  \"false_positive_reasoning\": \"Brief explanation if FP probability > 0.1\",\n  \"analyst_notes\": \"Brief summary for SOC team with key findings and urgency\"\n}","options":{"systemMessage":"You are a senior cybersecurity analyst specializing in ransomware detection. Respond with valid JSON only — no markdown, no code blocks, no preamble. Base your analysis on MITRE ATT&CK, NIST guidelines, and current ransomware threat intelligence."},"promptType":"define"},"typeVersion":1.6},{"id":"33dac890-11e7-4bbb-9b27-31b25fa6c0d8","name":"Claude AI Model","type":"@n8n/n8n-nodes-langchain.lmChatAnthropic","position":[2016,1008],"parameters":{"model":"=claude-sonnet-4-20250514","options":{"temperature":0.1}},"credentials":{"anthropicApi":{"id":"credential-id","name":"Anthropic account - test"}},"typeVersion":1},{"id":"c8d58737-1567-4e97-b49d-30f29bf510ea","name":"Parse AI Threat Assessment","type":"n8n-nodes-base.code","position":[2288,784],"parameters":{"mode":"runOnceForEachItem","jsCode":"const aiResponse = $input.item.json;\nlet aiText = aiResponse.response || aiResponse.output || aiResponse.text || '';\n\n// Handle Anthropic content array format\nif (aiResponse.content && Array.isArray(aiResponse.content)) {\n  aiText = aiResponse.content[0]?.text || '';\n}\n\n// Strip markdown code blocks\nconst cleanText = aiText\n  .replace(/```json\\s*/g, '')\n  .replace(/```\\s*/g, '')\n  .trim();\n\nlet threatAnalysis;\ntry {\n  threatAnalysis = JSON.parse(cleanText);\n} catch (error) {\n  throw new Error(`Failed to parse Claude AI threat analysis: ${error.message}. Raw: ${cleanText.substring(0, 200)}`);\n}\n\n// Pull behavior metrics from upstream\nconst behaviorMetrics = $('Aggregate File Operations (30s Window)').item.json.behaviorMetrics;\n\n// Create comprehensive threat report\nconst threatReport = {\n  detection_id: `RANSOMWARE-${Date.now()}-${Math.random().toString(36).substr(2, 8).toUpperCase()}`,\n  detected_at: new Date().toISOString(),\n  detection_source: 'Claude AI Ransomware Detection Engine v1.0',\n  \n  // System context\n  affected_system: {\n    hostname: behaviorMetrics.hostname,\n    username: behaviorMetrics.username,\n    detection_window: `${behaviorMetrics.detection_window_start} to ${behaviorMetrics.detection_window_end}`\n  },\n  \n  // AI threat assessment\n  threat_analysis: threatAnalysis.threat_assessment,\n  ransomware_family: threatAnalysis.ransomware_family,\n  behavioral_analysis: threatAnalysis.behavioral_analysis,\n  mitre_attack_techniques: threatAnalysis.mitre_attack_techniques,\n  \n  // Raw behavior data\n  behavior_metrics: behaviorMetrics,\n  \n  // Forensic evidence\n  forensic_indicators: threatAnalysis.forensic_indicators,\n  attack_timeline: threatAnalysis.attack_timeline,\n  impact_assessment: threatAnalysis.impact_assessment,\n  \n  // Response decision\n  recommended_action: threatAnalysis.recommended_action,\n  isolation_required: threatAnalysis.recommended_action === 'ISOLATE_IMMEDIATELY',\n  isolation_justification: threatAnalysis.isolation_justification,\n  containment_priority: threatAnalysis.containment_priority,\n  \n  // Investigation guidance\n  investigation_actions: threatAnalysis.investigation_priority_actions,\n  analyst_notes: threatAnalysis.analyst_notes,\n  \n  // Confidence metrics\n  confidence_level: threatAnalysis.threat_assessment.confidence_level,\n  threat_score: threatAnalysis.threat_assessment.threat_score,\n  false_positive_probability: threatAnalysis.false_positive_probability,\n  \n  // Status\n  status: 'ANALYZED',\n  next_action: threatAnalysis.threat_assessment.threat_score >= 75 ? 'INITIATE_ISOLATION' : 'MONITOR'\n};\n\nreturn { json: { threatReport } };"},"typeVersion":2},{"id":"1d640396-e79d-40aa-ba03-f285c678c4f8","name":"Threat Score >= 75? (Auto-Isolate Threshold)","type":"n8n-nodes-base.if","position":[2512,784],"parameters":{"options":{},"conditions":{"options":{"leftValue":"","caseSensitive":false,"typeValidation":"strict"},"combinator":"and","conditions":[{"operator":{"type":"number","operation":"largerEqual"},"leftValue":"={{ $json.threatReport.threat_score }}","rightValue":75}]}},"typeVersion":2},{"id":"a05b8e20-2774-41c0-a271-f6f810990d90","name":"Confirm Isolation Required","type":"n8n-nodes-base.if","position":[2736,688],"parameters":{"options":{},"conditions":{"options":{"leftValue":"","caseSensitive":false,"typeValidation":"strict"},"combinator":"or","conditions":[{"operator":{"type":"boolean","operation":"true"},"leftValue":"={{ $json.threatReport.isolation_required }}"},{"operator":{"type":"string","operation":"equals"},"leftValue":"={{ $json.threatReport.recommended_action }}","rightValue":"ISOLATE_IMMEDIATELY"}]}},"typeVersion":2},{"id":"482eea79-1446-469f-990f-26f8e0241267","name":"Capture Forensic Snapshot","type":"n8n-nodes-base.httpRequest","position":[2960,688],"parameters":{"url":"=https://edr-api.company.com/v1/forensics/snapshot","method":"POST","options":{"timeout":30000},"sendBody":true,"authentication":"genericCredentialType","bodyParameters":{"parameters":[{"name":"hostname","value":"={{ $json.threatReport.affected_system.hostname }}"},{"name":"snapshot_type","value":"full"},{"name":"capture_memory","value":true},{"name":"capture_process_tree","value":true},{"name":"capture_network_connections","value":true},{"name":"capture_file_operations_log","value":true},{"name":"incident_id","value":"={{ $json.threatReport.detection_id }}"}]},"genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"credential-id","name":"n8n"}},"typeVersion":4.2,"continueOnFail":true},{"id":"3eeb410a-2188-4899-90e2-f4085af95ca8","name":"Execute System Isolation","type":"n8n-nodes-base.httpRequest","position":[3184,688],"parameters":{"url":"=https://edr-api.company.com/v1/endpoint/isolate","method":"POST","options":{"timeout":30000,"response":{"response":{"responseFormat":"json"}}},"sendBody":true,"authentication":"genericCredentialType","bodyParameters":{"parameters":[{"name":"hostname","value":"={{ $json.threatReport.affected_system.hostname }}"},{"name":"isolation_type","value":"network_full"},{"name":"kill_processes","value":"={{ JSON.stringify($json.threatReport.forensic_indicators.process_markers) }}"},{"name":"block_network_adapters","value":true},{"name":"disable_smb_shares","value":true},{"name":"incident_id","value":"={{ $json.threatReport.detection_id }}"},{"name":"justification","value":"={{ $json.threatReport.isolation_justification }}"},{"name":"analyst_authorization","value":"Claude AI Auto-Isolation (Threat Score: {{ $json.threatReport.threat_score }})"}]},"genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"credential-id","name":"n8n"}},"typeVersion":4.2},{"id":"c263e2b3-01b7-44f8-85c8-92a77dfa32e6","name":"Terminate Encryption Process","type":"n8n-nodes-base.httpRequest","position":[3408,688],"parameters":{"url":"=https://edr-api.company.com/v1/process/terminate","method":"POST","options":{},"sendBody":true,"authentication":"genericCredentialType","bodyParameters":{"parameters":[{"name":"hostname","value":"={{ $json.threatReport.affected_system.hostname }}"},{"name":"process_identifiers","value":"={{ JSON.stringify($json.threatReport.behavior_metrics.process_activity.high_io_processes) }}"},{"name":"force_kill","value":true},{"name":"incident_id","value":"={{ $json.threatReport.detection_id }}"}]},"genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"credential-id","name":"n8n"}},"typeVersion":4.2,"continueOnFail":true},{"id":"db640fec-9431-46e5-85c4-10fe0956a4a7","name":"Alert SOC — Critical Ransomware Detection","type":"n8n-nodes-base.slack","position":[3632,496],"webhookId":"ef52d0bd-dcc1-4c1d-b3a1-f3d5b78d9753","parameters":{"resource":"channel","channelId":{"__rl":true,"mode":"list","value":""}},"credentials":{"slackApi":{"id":"credential-id","name":"Slack account - test "}},"typeVersion":2.2,"continueOnFail":true},{"id":"97f393b1-50d3-4b7f-a9e2-093507a8bc39","name":"Email Security Team","type":"n8n-nodes-base.emailSend","position":[3632,688],"webhookId":"email-soc-ransomware","parameters":{"options":{},"subject":"=[CRITICAL] Ransomware Detection — {{ $json.threatReport.affected_system.hostname }} — ISOLATED","toEmail":"user@example.com, user@example.com","fromEmail":"user@example.com"},"credentials":{"smtp":{"id":"credential-id","name":"SMTP -test"}},"typeVersion":2.1,"continueOnFail":true},{"id":"538edce0-cb79-4b17-8b5c-8d12f375532b","name":"Trigger PagerDuty Incident","type":"n8n-nodes-base.httpRequest","position":[3632,880],"parameters":{"url":"https://events.pagerduty.com/v2/enqueue","method":"POST","options":{},"jsonBody":"={\n  \"routing_key\": \"YOUR_PAGERDUTY_INTEGRATION_KEY\",\n  \"event_action\": \"trigger\",\n  \"dedup_key\": \"{{ $json.threatReport.detection_id }}\",\n  \"payload\": {\n    \"summary\": \"CRITICAL: Ransomware detected on {{ $json.threatReport.affected_system.hostname }} — System Isolated\",\n    \"severity\": \"critical\",\n    \"source\": \"{{ $json.threatReport.affected_system.hostname }}\",\n    \"component\": \"ransomware-detection\",\n    \"group\": \"security-incidents\",\n    \"class\": \"ransomware\",\n    \"custom_details\": {\n      \"detection_id\": \"{{ $json.threatReport.detection_id }}\",\n      \"threat_score\": {{ $json.threatReport.threat_score }},\n      \"threat_classification\": \"{{ $json.threatReport.threat_analysis.threat_classification }}\",\n      \"ransomware_family\": \"{{ $json.threatReport.ransomware_family.suspected_family }}\",\n      \"confidence_level\": \"{{ $json.threatReport.confidence_level }}\",\n      \"files_encrypted\": {{ $json.threatReport.impact_assessment.files_encrypted_estimated }},\n      \"isolation_status\": \"ISOLATED\",\n      \"incident_dashboard\": \"https://soc.company.com/incidents/{{ $json.threatReport.detection_id }}\"\n    }\n  },\n  \"links\": [\n    {\n      \"href\": \"https://soc.company.com/incidents/{{ $json.threatReport.detection_id }}\",\n      \"text\": \"View Incident Dashboard\"\n    }\n  ]\n}","sendBody":true,"specifyBody":"json"},"typeVersion":4.2,"continueOnFail":true},{"id":"fdd155a2-06c7-4daa-b899-6c5c61f44442","name":"Forward to SIEM (Splunk/Elastic)","type":"n8n-nodes-base.httpRequest","position":[3856,592],"parameters":{"url":"=https://siem.company.com/api/v1/events","method":"POST","options":{"response":{"response":{"responseFormat":"json"}}},"jsonBody":"={{ JSON.stringify($json.threatReport) }}","sendBody":true,"specifyBody":"json","authentication":"genericCredentialType","genericAuthType":"httpHeaderAuth"},"credentials":{"httpHeaderAuth":{"id":"credential-id","name":"n8n"}},"typeVersion":4.2,"continueOnFail":true},{"id":"8775fc52-d7fe-48b7-8cdd-688d262bde6a","name":"Write to Isolation Audit Log","type":"n8n-nodes-base.googleSheets","position":[4080,592],"parameters":{"columns":{"value":{},"schema":[],"mappingMode":"autoMapInputData","matchingColumns":[],"attemptToConvertTypes":false,"convertFieldsToString":false},"options":{},"operation":"append","sheetName":{"__rl":true,"mode":"id","value":"=Ransomware_Isolation_Audit_Log"},"documentId":{"__rl":true,"mode":"id","value":"YOUR_GOOGLE_SHEET_ID"},"authentication":"serviceAccount"},"credentials":{"googleApi":{"id":"credential-id","name":"Google Sheets- test"}},"typeVersion":4.5,"continueOnFail":true},{"id":"575c3fa5-810c-4c8f-b57b-c4f72aaeedb4","name":"Build Incident Response Summary","type":"n8n-nodes-base.code","position":[4304,592],"parameters":{"mode":"runOnceForEachItem","jsCode":"const threatReport = $('Parse AI Threat Assessment').item.json.threatReport;\nconst forensicSnapshot = $('Capture Forensic Snapshot').item.json;\nconst isolationResult = $('Execute System Isolation').item.json;\n\nconst incidentSummary = {\n  success: true,\n  detection_id: threatReport.detection_id,\n  incident_type: 'RANSOMWARE_ATTACK',\n  detected_at: threatReport.detected_at,\n  \n  affected_system: threatReport.affected_system,\n  \n  threat_assessment: {\n    classification: threatReport.threat_analysis.threat_classification,\n    threat_score: threatReport.threat_score,\n    confidence: threatReport.confidence_level,\n    ransomware_family: threatReport.ransomware_family.suspected_family,\n    severity: threatReport.threat_analysis.severity\n  },\n  \n  impact: {\n    files_encrypted: threatReport.impact_assessment.files_encrypted_estimated,\n    directories_affected: threatReport.impact_assessment.directories_affected,\n    business_impact: threatReport.impact_assessment.business_impact\n  },\n  \n  automated_response: {\n    isolation_executed: isolationResult?.isolated || true,\n    isolation_type: 'NETWORK_FULL',\n    processes_terminated: threatReport.forensic_indicators.process_markers?.length || 0,\n    forensic_snapshot_captured: forensicSnapshot?.snapshot_id || 'CAPTURED',\n    smb_shares_disabled: true,\n    network_adapters_blocked: true,\n    response_time_seconds: Math.round((new Date() - new Date(threatReport.detected_at)) / 1000)\n  },\n  \n  notifications: {\n    soc_alerted: true,\n    email_sent: true,\n    pagerduty_triggered: true,\n    siem_forwarded: true\n  },\n  \n  investigation: {\n    incident_dashboard_url: `https://soc.company.com/incidents/${threatReport.detection_id}`,\n    forensic_snapshot_id: forensicSnapshot?.snapshot_id || 'PENDING',\n    siem_query: `index=edr hostname=${threatReport.affected_system.hostname} earliest=-1h`,\n    priority_actions: threatReport.investigation_actions\n  },\n  \n  mitre_attack: threatReport.mitre_attack_techniques,\n  \n  analyst_notes: threatReport.analyst_notes,\n  \n  processing_status: 'INCIDENT_CONTAINED',\n  next_steps: [\n    'SOC team investigating root cause',\n    'Forensic analysis in progress',\n    'Checking for lateral movement',\n    'Coordinating with business stakeholders on impact',\n    'Preparing regulatory notifications if required'\n  ],\n  \n  processed_at: new Date().toISOString()\n};\n\nreturn { json: incidentSummary };"},"typeVersion":2},{"id":"c53204b8-c6c1-4101-b7c2-bfb4dba3ba03","name":"Send Detection Response","type":"n8n-nodes-base.respondToWebhook","position":[4528,592],"parameters":{"options":{"responseHeaders":{"entries":[{"name":"Content-Type","value":"application/json"}]}},"respondWith":"json","responseBody":"={{ JSON.stringify($json, null, 2) }}"},"typeVersion":1},{"id":"10db99e1-44f2-486d-9a02-543fdf39ab19","name":"Enhanced Monitoring Mode","type":"n8n-nodes-base.code","position":[2736,880],"parameters":{"mode":"runOnceForEachItem","jsCode":"const threatReport = $('Parse AI Threat Assessment').item.json.threatReport;\n\n// Threat score below 75 - monitor but don't isolate\nconst monitoringAlert = {\n  alert_type: 'SUSPICIOUS_BEHAVIOR_DETECTED',\n  detection_id: threatReport.detection_id,\n  threat_score: threatReport.threat_score,\n  confidence: threatReport.confidence_level,\n  hostname: threatReport.affected_system.hostname,\n  username: threatReport.affected_system.username,\n  detected_at: threatReport.detected_at,\n  \n  behavior_summary: {\n    classification: threatReport.threat_analysis.threat_classification,\n    suspicious_indicators: Object.entries(threatReport.behavioral_analysis)\n      .filter(([key, value]) => value === true)\n      .map(([key]) => key),\n    threat_level: threatReport.threat_analysis.severity\n  },\n  \n  recommended_action: 'ENHANCED_MONITORING',\n  monitoring_instructions: [\n    'Increase log collection frequency',\n    'Monitor file system activity closely',\n    'Watch for escalation in threat score',\n    'Alert if additional suspicious behavior detected',\n    'Prepare for potential isolation if threat increases'\n  ],\n  \n  analyst_notes: threatReport.analyst_notes,\n  \n  escalation_criteria: {\n    auto_isolate_if_threat_score_exceeds: 75,\n    alert_soc_if: [\n      'Threat score increases by 20+ points',\n      'Ransomware family identification confidence increases to HIGH',\n      'Mass file encryption begins',\n      'Shadow copy deletion detected'\n    ]\n  },\n  \n  status: 'MONITORING'\n};\n\nreturn { json: monitoringAlert };"},"typeVersion":2},{"id":"a6e6963e-9d75-4173-b0f4-bfd23c788955","name":"Notify SOC — Monitoring Alert","type":"n8n-nodes-base.slack","position":[2960,880],"webhookId":"2c145612-2c7f-4032-9725-df7d12029bc4","parameters":{"resource":"channel","channelId":{"__rl":true,"mode":"list","value":""}},"credentials":{"slackApi":{"id":"credential-id","name":"Slack account - test "}},"typeVersion":2.2,"continueOnFail":true},{"id":"28349131-9b56-4d6e-a794-5aeaad113447","name":"Log Monitoring Alert","type":"n8n-nodes-base.googleSheets","position":[3184,880],"parameters":{"columns":{"value":{},"schema":[],"mappingMode":"autoMapInputData","matchingColumns":[],"attemptToConvertTypes":false,"convertFieldsToString":false},"options":{},"operation":"append","sheetName":{"__rl":true,"mode":"id","value":"=Suspicious_Behavior_Monitoring"},"documentId":{"__rl":true,"mode":"id","value":"YOUR_GOOGLE_SHEET_ID"},"authentication":"serviceAccount"},"credentials":{"googleApi":{"id":"credential-id","name":"Google Sheets- test"}},"typeVersion":4.5,"continueOnFail":true}],"active":false,"pinData":{},"settings":{"executionOrder":"v1"},"versionId":"69bd2186-b5a4-477e-834b-a57bf149575c","connections":{"Claude AI Model":{"ai_languageModel":[[{"node":"Claude AI Ransomware Threat Analysis","type":"ai_languageModel","index":0}]]},"Email Security Team":{"main":[[{"node":"Forward to SIEM (Splunk/Elastic)","type":"main","index":0}]]},"Enhanced Monitoring Mode":{"main":[[{"node":"Notify SOC — Monitoring Alert","type":"main","index":0}]]},"Execute System Isolation":{"main":[[{"node":"Terminate Encryption Process","type":"main","index":0}]]},"File System Event Stream":{"main":[[{"node":"Aggregate File Operations (30s Window)","type":"main","index":0}]]},"Capture Forensic Snapshot":{"main":[[{"node":"Execute System Isolation","type":"main","index":0}]]},"Confirm Isolation Required":{"main":[[{"node":"Capture Forensic Snapshot","type":"main","index":0}]]},"Parse AI Threat Assessment":{"main":[[{"node":"Threat Score >= 75? (Auto-Isolate Threshold)","type":"main","index":0}]]},"Trigger PagerDuty Incident":{"main":[[{"node":"Forward to SIEM (Splunk/Elastic)","type":"main","index":0}]]},"Wait for Batch Window (30s)":{"main":[[{"node":"Claude AI Ransomware Threat Analysis","type":"main","index":0}]]},"Terminate Encryption Process":{"main":[[{"node":"Alert SOC — Critical Ransomware Detection","type":"main","index":0},{"node":"Email Security Team","type":"main","index":0},{"node":"Trigger PagerDuty Incident","type":"main","index":0}]]},"Write to Isolation Audit Log":{"main":[[{"node":"Build Incident Response Summary","type":"main","index":0}]]},"Build Incident Response Summary":{"main":[[{"node":"Send Detection Response","type":"main","index":0}]]},"Notify SOC — Monitoring Alert":{"main":[[{"node":"Log Monitoring Alert","type":"main","index":0}]]},"Forward to SIEM (Splunk/Elastic)":{"main":[[{"node":"Write to Isolation Audit Log","type":"main","index":0}]]},"Claude AI Ransomware Threat Analysis":{"main":[[{"node":"Parse AI Threat Assessment","type":"main","index":0}]]},"Aggregate File Operations (30s Window)":{"main":[[{"node":"Wait for Batch Window (30s)","type":"main","index":0}]]},"Alert SOC — Critical Ransomware Detection":{"main":[[{"node":"Forward to SIEM (Splunk/Elastic)","type":"main","index":0}]]},"Threat Score >= 75? (Auto-Isolate Threshold)":{"main":[[{"node":"Confirm Isolation Required","type":"main","index":0}],[{"node":"Enhanced Monitoring Mode","type":"main","index":0}]]}}},"lastUpdatedBy":1,"workflowInfo":{"nodeCount":26,"nodeTypes":{"n8n-nodes-base.if":{"count":2},"n8n-nodes-base.code":{"count":4},"n8n-nodes-base.wait":{"count":1},"n8n-nodes-base.slack":{"count":2},"n8n-nodes-base.webhook":{"count":1},"n8n-nodes-base.emailSend":{"count":1},"n8n-nodes-base.stickyNote":{"count":5},"n8n-nodes-base.httpRequest":{"count":5},"n8n-nodes-base.googleSheets":{"count":2},"@n8n/n8n-nodes-langchain.agent":{"count":1},"n8n-nodes-base.respondToWebhook":{"count":1},"@n8n/n8n-nodes-langchain.lmChatAnthropic":{"count":1}}},"status":"published","readyToDemo":null,"user":{"name":"Oneclick AI Squad","username":"oneclick-ai","bio":"The AI Squad Initiative is a pioneering effort to build, automate and scale AI-powered workflows using n8n.io. Our mission is to help individuals and businesses integrate AI agents seamlessly into their daily operations  from automating tasks and enhancing productivity to creating innovative, intelligent solutions. We design modular, reusable AI workflow templates that empower creators, developers and teams to supercharge their automation with minimal effort and maximum impact.","verified":true,"links":["https://www.oneclickitsolution.com/"],"avatar":"https://gravatar.com/avatar/848fca91367142f65f9e5c55d64e5c9952b160d7b060d103b52aa343c6bc7b3d?r=pg&d=retro&size=200"},"nodes":[{"id":11,"icon":"fa:envelope","name":"n8n-nodes-base.emailSend","codex":{"data":{"alias":["SMTP","email","human","form","wait","hitl","approval"],"resources":{"generic":[{"url":"https://n8n.io/blog/2021-the-year-to-automate-the-new-you-with-n8n/","icon":"☀️","label":"2021: The Year to Automate the New You with n8n"},{"url":"https://n8n.io/blog/build-your-own-virtual-assistant-with-n8n-a-step-by-step-guide/","icon":"👦","label":"Build your own virtual assistant with n8n: A step by step guide"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.sendemail/"}],"credentialDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/credentials/sendemail/"}]},"categories":["Communication","HITL","Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"HITL":["Human in the Loop"]}}},"group":"[\"output\"]","defaults":{"name":"Send Email","color":"#00bb88"},"iconData":{"icon":"envelope","type":"icon"},"displayName":"Send Email","typeVersion":2,"nodeCategories":[{"id":6,"name":"Communication"},{"id":9,"name":"Core Nodes"},{"id":28,"name":"HITL"}]},{"id":18,"icon":"file:googleSheets.svg","name":"n8n-nodes-base.googleSheets","codex":{"data":{"alias":["CSV","Sheet","Spreadsheet","GS"],"resources":{"generic":[{"url":"https://n8n.io/blog/love-at-first-sight-ricardos-n8n-journey/","icon":"❤️","label":"Love at first sight: Ricardo’s n8n journey"},{"url":"https://n8n.io/blog/why-business-process-automation-with-n8n-can-change-your-daily-life/","icon":"🧬","label":"Why business process automation with n8n can change your daily life"},{"url":"https://n8n.io/blog/automatically-adding-expense-receipts-to-google-sheets-with-telegram-mindee-twilio-and-n8n/","icon":"🧾","label":"Automatically Adding Expense Receipts to Google Sheets with Telegram, Mindee, Twilio, and n8n"},{"url":"https://n8n.io/blog/supercharging-your-conference-registration-process-with-n8n/","icon":"🎫","label":"Supercharging your conference registration process with n8n"},{"url":"https://n8n.io/blog/creating-triggers-for-n8n-workflows-using-polling/","icon":"⏲","label":"Creating triggers for n8n workflows using polling"},{"url":"https://n8n.io/blog/no-code-ecommerce-workflow-automations/","icon":"store","label":"6 e-commerce workflows to power up your Shopify s"},{"url":"https://n8n.io/blog/migrating-community-metrics-to-orbit-using-n8n/","icon":"📈","label":"Migrating Community Metrics to Orbit using n8n"},{"url":"https://n8n.io/blog/automate-google-apps-for-productivity/","icon":"💡","label":"15 Google apps you can combine and automate to increase productivity"},{"url":"https://n8n.io/blog/your-business-doesnt-need-you-to-operate/","icon":" 🖥️","label":"Hey founders! Your business doesn't need you to operate"},{"url":"https://n8n.io/blog/how-honest-burgers-use-automation-to-save-100k-per-year/","icon":"🍔","label":"How Honest Burgers Use Automation to Save $100k per year"},{"url":"https://n8n.io/blog/how-a-digital-strategist-uses-n8n-for-online-marketing/","icon":"💻","label":"How a digital strategist uses n8n for online marketing"},{"url":"https://n8n.io/blog/why-this-product-manager-loves-workflow-automation-with-n8n/","icon":"🧠","label":"Why this Product Manager loves workflow automation with n8n"},{"url":"https://n8n.io/blog/sending-automated-congratulations-with-google-sheets-twilio-and-n8n/","icon":"🙌","label":"Sending Automated Congratulations with Google Sheets, Twilio, and n8n "},{"url":"https://n8n.io/blog/how-a-membership-development-manager-automates-his-work-and-investments/","icon":"📈","label":"How a Membership Development Manager automates his work and investments"},{"url":"https://n8n.io/blog/aws-workflow-automation/","label":"7 no-code workflow automations for Amazon Web Services"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/app-nodes/n8n-nodes-base.googlesheets/"}],"credentialDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/credentials/google/oauth-single-service/"}]},"categories":["Data & Storage","Productivity"],"nodeVersion":"1.0","codexVersion":"1.0"}},"group":"[\"input\",\"output\"]","defaults":{"name":"Google Sheets"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI2MCIgaGVpZ2h0PSI2MCI+PGcgZmlsbD0ibm9uZSIgZmlsbC1ydWxlPSJldmVub2RkIiBzdHJva2UtbGluZWNhcD0icm91bmQiIHN0cm9rZS1saW5lam9pbj0icm91bmQiPjxwYXRoIGZpbGw9IiMyOEI0NDYiIGQ9Ik0zNS42OSAxIDUyIDE3LjIyNXYzOS4wODdhMy42NyAzLjY3IDAgMCAxLTEuMDg0IDIuNjFBMy43IDMuNyAwIDAgMSA0OC4yOTMgNjBIMTIuNzA3YTMuNyAzLjcgMCAwIDEtMi42MjMtMS4wNzhBMy42NyAzLjY3IDAgMCAxIDkgNTYuMzEyVjQuNjg4YTMuNjcgMy42NyAwIDAgMSAxLjA4NC0yLjYxQTMuNyAzLjcgMCAwIDEgMTIuNzA3IDF6Ii8+PHBhdGggZmlsbD0iIzZBQ0U3QyIgZD0iTTM1LjY5IDEgNTIgMTcuMjI1SDM5LjM5N2MtMi4wNTQgMC0zLjcwNy0xLjgyOS0zLjcwNy0zLjg3MnoiLz48cGF0aCBmaWxsPSIjMjE5QjM4IiBkPSJNMzkuMjExIDE3LjIyNSA1MiAyMi40OHYtNS4yNTV6Ii8+PHBhdGggZmlsbD0iI0ZGRiIgZD0iTTIwLjEyIDMxLjk3NWMwLS44MTcuNjYyLTEuNDc1IDEuNDgzLTEuNDc1aDE3Ljc5NGMuODIxIDAgMS40ODIuNjU4IDEuNDgyIDEuNDc1djE1LjQ4N2MwIC44MTgtLjY2MSAxLjQ3NS0xLjQ4MiAxLjQ3NUgyMS42MDNhMS40NzYgMS40NzYgMCAwIDEtMS40ODItMS40NzRWMzEuOTc0em0yLjIyNSAxLjQ3NWg2LjY3MnYyLjIxMmgtNi42NzJ6bTAgNS4xNjJoNi42NzJ2Mi4yMTNoLTYuNjcyem0wIDUuMTYzaDYuNjcydjIuMjEyaC02LjY3MnptOS42MzgtMTAuMzI1aDYuNjcydjIuMjEyaC02LjY3MnptMCA1LjE2Mmg2LjY3MnYyLjIxM2gtNi42NzJ6bTAgNS4xNjNoNi42NzJ2Mi4yMTJoLTYuNjcyeiIvPjxwYXRoIGZpbGw9IiMyOEI0NDYiIGQ9Ik0zNC42OSAwIDUxIDE2LjIyNXYzOS4wODdhMy42NyAzLjY3IDAgMCAxLTEuMDg0IDIuNjFBMy43IDMuNyAwIDAgMSA0Ny4yOTMgNTlIMTEuNzA3YTMuNyAzLjcgMCAwIDEtMi42MjMtMS4wNzhBMy42NyAzLjY3IDAgMCAxIDggNTUuMzEyVjMuNjg4YTMuNjcgMy42NyAwIDAgMSAxLjA4NC0yLjYxQTMuNyAzLjcgMCAwIDEgMTEuNzA3IDB6Ii8+PHBhdGggZmlsbD0iIzZBQ0U3QyIgZD0iTTM0LjY5IDAgNTEgMTYuMjI1SDM4LjM5N2MtMi4wNTQgMC0zLjcwNy0xLjgyOS0zLjcwNy0zLjg3MnoiLz48cGF0aCBmaWxsPSIjMjE5QjM4IiBkPSJNMzguMjExIDE2LjIyNSA1MSAyMS40OHYtNS4yNTV6Ii8+PHBhdGggZmlsbD0iI0ZGRiIgZD0iTTE5LjEyIDMwLjk3NWMwLS44MTcuNjYyLTEuNDc1IDEuNDgzLTEuNDc1aDE3Ljc5NGMuODIxIDAgMS40ODIuNjU4IDEuNDgyIDEuNDc1djE1LjQ4N2MwIC44MTgtLjY2MSAxLjQ3NS0xLjQ4MiAxLjQ3NUgyMC42MDNhMS40NzYgMS40NzYgMCAwIDEtMS40ODItMS40NzRWMzAuOTc0em0yLjIyNSAxLjQ3NWg2LjY3MnYyLjIxMmgtNi42NzJ6bTAgNS4xNjJoNi42NzJ2Mi4yMTNoLTYuNjcyem0wIDUuMTYzaDYuNjcydjIuMjEyaC02LjY3MnptOS42MzgtMTAuMzI1aDYuNjcydjIuMjEyaC02LjY3MnptMCA1LjE2Mmg2LjY3MnYyLjIxM2gtNi42NzJ6bTAgNS4xNjNoNi42NzJ2Mi4yMTJoLTYuNjcyeiIvPjwvZz48L3N2Zz4="},"displayName":"Google Sheets","typeVersion":5,"nodeCategories":[{"id":3,"name":"Data & Storage"},{"id":4,"name":"Productivity"}]},{"id":19,"icon":"file:httprequest.svg","name":"n8n-nodes-base.httpRequest","codex":{"data":{"alias":["API","Request","URL","Build","cURL"],"resources":{"generic":[{"url":"https://n8n.io/blog/2021-the-year-to-automate-the-new-you-with-n8n/","icon":"☀️","label":"2021: The Year to Automate the New You with n8n"},{"url":"https://n8n.io/blog/why-business-process-automation-with-n8n-can-change-your-daily-life/","icon":"🧬","label":"Why business process automation with n8n can change your daily life"},{"url":"https://n8n.io/blog/automatically-pulling-and-visualizing-data-with-n8n/","icon":"📈","label":"Automatically pulling and visualizing data with n8n"},{"url":"https://n8n.io/blog/learn-how-to-automatically-cross-post-your-content-with-n8n/","icon":"✍️","label":"Learn how to automatically cross-post your content with n8n"},{"url":"https://n8n.io/blog/automatically-adding-expense-receipts-to-google-sheets-with-telegram-mindee-twilio-and-n8n/","icon":"🧾","label":"Automatically Adding Expense Receipts to Google Sheets with Telegram, Mindee, Twilio, and n8n"},{"url":"https://n8n.io/blog/running-n8n-on-ships-an-interview-with-maranics/","icon":"🛳","label":"Running n8n on ships: An interview with Maranics"},{"url":"https://n8n.io/blog/what-are-apis-how-to-use-them-with-no-code/","icon":" 🪢","label":"What are APIs and how to use them with no code"},{"url":"https://n8n.io/blog/5-tasks-you-can-automate-with-notion-api/","icon":"⚡️","label":"5 tasks you can automate with the new Notion API "},{"url":"https://n8n.io/blog/world-poetry-day-workflow/","icon":"📜","label":"Celebrating World Poetry Day with a daily poem in Telegram"},{"url":"https://n8n.io/blog/automate-google-apps-for-productivity/","icon":"💡","label":"15 Google apps you can combine and automate to increase productivity"},{"url":"https://n8n.io/blog/automate-designs-with-bannerbear-and-n8n/","icon":"🎨","label":"Automate Designs with Bannerbear and n8n"},{"url":"https://n8n.io/blog/how-uproc-scraped-a-multi-page-website-with-a-low-code-workflow/","icon":" 🕸️","label":"How uProc scraped a multi-page website with a low-code workflow"},{"url":"https://n8n.io/blog/building-an-expense-tracking-app-in-10-minutes/","icon":"📱","label":"Building an expense tracking app in 10 minutes"},{"url":"https://n8n.io/blog/5-workflow-automations-for-mattermost-that-we-love-at-n8n/","icon":"🤖","label":"5 workflow automations for Mattermost that we love at n8n"},{"url":"https://n8n.io/blog/how-to-use-the-http-request-node-the-swiss-army-knife-for-workflow-automation/","icon":"🧰","label":"How to use the HTTP Request Node - The Swiss Army Knife for Workflow Automation"},{"url":"https://n8n.io/blog/learn-how-to-use-webhooks-with-mattermost-slash-commands/","icon":"🦄","label":"Learn how to use webhooks with Mattermost slash commands"},{"url":"https://n8n.io/blog/how-a-membership-development-manager-automates-his-work-and-investments/","icon":"📈","label":"How a Membership Development Manager automates his work and investments"},{"url":"https://n8n.io/blog/a-low-code-bitcoin-ticker-built-with-questdb-and-n8n-io/","icon":"📈","label":"A low-code bitcoin ticker built with QuestDB and n8n.io"},{"url":"https://n8n.io/blog/how-to-set-up-a-ci-cd-pipeline-with-no-code/","icon":"🎡","label":"How to set up a no-code CI/CD pipeline with GitHub and TravisCI"},{"url":"https://n8n.io/blog/automations-for-activists/","icon":"✨","label":"How Common Knowledge use workflow automation for activism"},{"url":"https://n8n.io/blog/creating-scheduled-text-affirmations-with-n8n/","icon":"🤟","label":"Creating scheduled text affirmations with n8n"},{"url":"https://n8n.io/blog/how-goomer-automated-their-operations-with-over-200-n8n-workflows/","icon":"🛵","label":"How Goomer automated their operations with over 200 n8n workflows"},{"url":"https://n8n.io/blog/aws-workflow-automation/","label":"7 no-code workflow automations for Amazon Web Services"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.httprequest/"}]},"categories":["Development","Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers"]}}},"group":"[\"output\"]","defaults":{"name":"HTTP Request","color":"#0004F5"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNDAiIGhlaWdodD0iNDAiIHZpZXdCb3g9IjAgMCA0MCA0MCIgZmlsbD0ibm9uZSIgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIj4KPHBhdGggZmlsbC1ydWxlPSJldmVub2RkIiBjbGlwLXJ1bGU9ImV2ZW5vZGQiIGQ9Ik00MCAyMEM0MCA4Ljk1MzE0IDMxLjA0NjkgMCAyMCAwQzguOTUzMTQgMCAwIDguOTUzMTQgMCAyMEMwIDMxLjA0NjkgOC45NTMxNCA0MCAyMCA0MEMzMS4wNDY5IDQwIDQwIDMxLjA0NjkgNDAgMjBaTTIwIDM2Ljk0NThDMTguODg1MiAzNi45NDU4IDE3LjEzNzggMzUuOTY3IDE1LjQ5OTggMzIuNjk4NUMxNC43OTY0IDMxLjI5MTggMTQuMTk2MSAyOS41NDMxIDEzLjc1MjYgMjcuNjg0N0gyNi4xODk4QzI1LjgwNDUgMjkuNTQwMyAyNS4yMDQ0IDMxLjI5MDEgMjQuNTAwMiAzMi42OTg1QzIyLjg2MjIgMzUuOTY3IDIxLjExNDggMzYuOTQ1OCAyMCAzNi45NDU4Wk0xMi45MDY0IDIwQzEyLjkwNjQgMjEuNjA5NyAxMy4wMDg3IDIzLjE2NCAxMy4yMDAzIDI0LjYzMDVIMjYuNzk5N0MyNi45OTEzIDIzLjE2NCAyNy4wOTM2IDIxLjYwOTcgMjcuMDkzNiAyMEMyNy4wOTM2IDE4LjM5MDMgMjYuOTkxMyAxNi44MzYgMjYuNzk5NyAxNS4zNjk1SDEzLjIwMDNDMTMuMDA4NyAxNi44MzYgMTIuOTA2NCAxOC4zOTAzIDEyLjkwNjQgMjBaTTIwIDMuMDU0MTlDMjEuMTE0OSAzLjA1NDE5IDIyLjg2MjIgNC4wMzA3OCAyNC41MDAxIDcuMzAwMzlDMjUuMjA2NiA4LjcxNDA4IDI1LjgwNzIgMTAuNDA2NyAyNi4xOTIgMTIuMzE1M0gxMy43NTAxQzE0LjE5MzMgMTAuNDA0NyAxNC43OTQyIDguNzEyNTQgMTUuNDk5OCA3LjMwMDY0QzE3LjEzNzcgNC4wMzA4MyAxOC44ODUxIDMuMDU0MTkgMjAgMy4wNTQxOVpNMzAuMTQ3OCAyMEMzMC4xNDc4IDE4LjQwOTkgMzAuMDU0MyAxNi44NjE3IDI5LjgyMjcgMTUuMzY5NUgzNi4zMDQyQzM2LjcyNTIgMTYuODQyIDM2Ljk0NTggMTguMzk2NCAzNi45NDU4IDIwQzM2Ljk0NTggMjEuNjAzNiAzNi43MjUyIDIzLjE1OCAzNi4zMDQyIDI0LjYzMDVIMjkuODIyN0MzMC4wNTQzIDIzLjEzODMgMzAuMTQ3OCAyMS41OTAxIDMwLjE0NzggMjBaTTI2LjI3NjcgNC4yNTUxMkMyNy42MzY1IDYuMzYwMTkgMjguNzExIDkuMTMyIDI5LjM3NzQgMTIuMzE1M0gzNS4xMDQ2QzMzLjI1MTEgOC42NjggMzAuMTA3IDUuNzgzNDYgMjYuMjc2NyA0LjI1NTEyWk0xMC42MjI2IDEyLjMxNTNINC44OTI5M0M2Ljc1MTQ3IDguNjY3ODQgOS44OTM1MSA1Ljc4MzQxIDEzLjcyMzIgNC4yNTUxM0MxMi4zNjM1IDYuMzYwMjEgMTEuMjg5IDkuMTMyMDEgMTAuNjIyNiAxMi4zMTUzWk0zLjA1NDE5IDIwQzMuMDU0MTkgMjEuNjAzIDMuMjc3NDMgMjMuMTU3NSAzLjY5NDg0IDI0LjYzMDVIMTAuMTIxN0M5Ljk0NjE5IDIzLjE0MiA5Ljg1MjIyIDIxLjU5NDMgOS44NTIyMiAyMEM5Ljg1MjIyIDE4LjQwNTcgOS45NDYxOSAxNi44NTggMTAuMTIxNyAxNS4zNjk1SDMuNjk0ODRDMy4yNzc0MyAxNi44NDI1IDMuMDU0MTkgMTguMzk3IDMuMDU0MTkgMjBaTTI2LjI3NjYgMzUuNzQyN0MyNy42MzY1IDMzLjYzOTMgMjguNzExIDMwLjg2OCAyOS4zNzc0IDI3LjY4NDdIMzUuMTA0NkMzMy4yNTEgMzEuMzMyMiAzMC4xMDY4IDM0LjIxNzkgMjYuMjc2NiAzNS43NDI3Wk0xMy43MjM0IDM1Ljc0MjdDOS44OTM2OSAzNC4yMTc5IDYuNzUxNTUgMzEuMzMyNCA0Ljg5MjkzIDI3LjY4NDdIMTAuNjIyNkMxMS4yODkgMzAuODY4IDEyLjM2MzUgMzMuNjM5MyAxMy43MjM0IDM1Ljc0MjdaIiBmaWxsPSIjM0E0MkU5Ii8+Cjwvc3ZnPgo="},"displayName":"HTTP Request","typeVersion":4,"nodeCategories":[{"id":5,"name":"Development"},{"id":9,"name":"Core Nodes"}]},{"id":20,"icon":"fa:map-signs","name":"n8n-nodes-base.if","codex":{"data":{"alias":["Router","Filter","Condition","Logic","Boolean","Branch"],"details":"The IF node can be used to implement binary conditional logic in your workflow. You can set up one-to-many conditions to evaluate each item of data being inputted into the node. That data will either evaluate to TRUE or FALSE and route out of the node accordingly.\n\nThis node has multiple types of conditions: Bool, String, Number, and Date & Time.","resources":{"generic":[{"url":"https://n8n.io/blog/learn-to-automate-your-factorys-incident-reporting-a-step-by-step-guide/","icon":"🏭","label":"Learn to Automate Your Factory's Incident Reporting: A Step by Step Guide"},{"url":"https://n8n.io/blog/2021-the-year-to-automate-the-new-you-with-n8n/","icon":"☀️","label":"2021: The Year to Automate the New You with n8n"},{"url":"https://n8n.io/blog/why-business-process-automation-with-n8n-can-change-your-daily-life/","icon":"🧬","label":"Why business process automation with n8n can change your daily life"},{"url":"https://n8n.io/blog/create-a-toxic-language-detector-for-telegram/","icon":"🤬","label":"Create a toxic language detector for Telegram in 4 step"},{"url":"https://n8n.io/blog/no-code-ecommerce-workflow-automations/","icon":"store","label":"6 e-commerce workflows to power up your Shopify s"},{"url":"https://n8n.io/blog/how-to-build-a-low-code-self-hosted-url-shortener/","icon":"🔗","label":"How to build a low-code, self-hosted URL shortener in 3 steps"},{"url":"https://n8n.io/blog/automate-your-data-processing-pipeline-in-9-steps-with-n8n/","icon":"⚙️","label":"Automate your data processing pipeline in 9 steps"},{"url":"https://n8n.io/blog/how-to-get-started-with-crm-automation-and-no-code-workflow-ideas/","icon":"👥","label":"How to get started with CRM automation (with 3 no-code workflow ideas"},{"url":"https://n8n.io/blog/5-tasks-you-can-automate-with-notion-api/","icon":"⚡️","label":"5 tasks you can automate with the new Notion API "},{"url":"https://n8n.io/blog/automate-google-apps-for-productivity/","icon":"💡","label":"15 Google apps you can combine and automate to increase productivity"},{"url":"https://n8n.io/blog/automation-for-maintainers-of-open-source-projects/","icon":"🏷️","label":"How to automatically manage contributions to open-source projects"},{"url":"https://n8n.io/blog/how-uproc-scraped-a-multi-page-website-with-a-low-code-workflow/","icon":" 🕸️","label":"How uProc scraped a multi-page website with a low-code workflow"},{"url":"https://n8n.io/blog/5-workflow-automations-for-mattermost-that-we-love-at-n8n/","icon":"🤖","label":"5 workflow automations for Mattermost that we love at n8n"},{"url":"https://n8n.io/blog/why-this-product-manager-loves-workflow-automation-with-n8n/","icon":"🧠","label":"Why this Product Manager loves workflow automation with n8n"},{"url":"https://n8n.io/blog/sending-automated-congratulations-with-google-sheets-twilio-and-n8n/","icon":"🙌","label":"Sending Automated Congratulations with Google Sheets, Twilio, and n8n "},{"url":"https://n8n.io/blog/how-to-set-up-a-ci-cd-pipeline-with-no-code/","icon":"🎡","label":"How to set up a no-code CI/CD pipeline with GitHub and TravisCI"},{"url":"https://n8n.io/blog/benefits-of-automation-and-n8n-an-interview-with-hubspots-hugh-durkin/","icon":"🎖","label":"Benefits of automation and n8n: An interview with HubSpot's Hugh Durkin"},{"url":"https://n8n.io/blog/aws-workflow-automation/","label":"7 no-code workflow automations for Amazon Web Services"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.if/"}]},"categories":["Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Flow"]}}},"group":"[\"transform\"]","defaults":{"name":"If","color":"#408000"},"iconData":{"icon":"map-signs","type":"icon"},"displayName":"If","typeVersion":2,"nodeCategories":[{"id":9,"name":"Core Nodes"}]},{"id":40,"icon":"file:slack.svg","name":"n8n-nodes-base.slack","codex":{"data":{"alias":["human","form","wait","hitl","approval"],"resources":{"generic":[{"url":"https://n8n.io/blog/no-code-ecommerce-workflow-automations/","icon":"store","label":"6 e-commerce workflows to power up your Shopify s"},{"url":"https://n8n.io/blog/automate-your-data-processing-pipeline-in-9-steps-with-n8n/","icon":"⚙️","label":"Automate your data processing pipeline in 9 steps"},{"url":"https://n8n.io/blog/how-to-get-started-with-crm-automation-and-no-code-workflow-ideas/","icon":"👥","label":"How to get started with CRM automation (with 3 no-code workflow ideas"},{"url":"https://n8n.io/blog/5-tasks-you-can-automate-with-notion-api/","icon":"⚡️","label":"5 tasks you can automate with the new Notion API "},{"url":"https://n8n.io/blog/build-your-own-virtual-assistant-with-n8n-a-step-by-step-guide/","icon":"👦","label":"Build your own virtual assistant with n8n: A step by step guide"},{"url":"https://n8n.io/blog/how-to-automatically-give-kudos-to-contributors-with-github-slack-and-n8n/","icon":"👏","label":"How to automatically give kudos to contributors with GitHub, Slack, and n8n"},{"url":"https://n8n.io/blog/automations-for-activists/","icon":"✨","label":"How Common Knowledge use workflow automation for activism"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/app-nodes/n8n-nodes-base.slack/"}],"credentialDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/credentials/slack/"}]},"categories":["Communication","HITL"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"HITL":["Human in the Loop"]}}},"group":"[\"output\"]","defaults":{"name":"Slack"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiBmaWxsPSIjZmZmIiBmaWxsLXJ1bGU9ImV2ZW5vZGQiIHN0cm9rZT0iIzAwMCIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIiBzdHJva2UtbGluZWpvaW49InJvdW5kIiB2aWV3Qm94PSIwIDAgMTUwLjg1MiAxNTAuODUyIj48dXNlIHhsaW5rOmhyZWY9IiNhIiB4PSIuOTI2IiB5PSIuOTI2Ii8+PHN5bWJvbCBpZD0iYSIgb3ZlcmZsb3c9InZpc2libGUiPjxnIHN0cm9rZS13aWR0aD0iMS44NTIiPjxwYXRoIGZpbGw9IiNlMDFlNWEiIHN0cm9rZT0iI2UwMWU1YSIgZD0iTTQwLjc0MSA5My41NWMwLTguNzM1IDYuNjA3LTE1Ljc3MiAxNC44MTUtMTUuNzcyczE0LjgxNSA3LjAzNyAxNC44MTUgMTUuNzcydjM4LjgyNGMwIDguNzM3LTYuNjA3IDE1Ljc3NC0xNC44MTUgMTUuNzc0cy0xNC44MTUtNy4wMzctMTQuODE1LTE1Ljc3MnoiLz48cGF0aCBmaWxsPSIjZWNiMjJkIiBzdHJva2U9IiNlY2IyMmQiIGQ9Ik05My41NSAxMDcuNDA4Yy04LjczNSAwLTE1Ljc3Mi02LjYwNy0xNS43NzItMTQuODE1czcuMDM3LTE0LjgxNSAxNS43NzItMTQuODE1aDM4LjgyNmM4LjczNSAwIDE1Ljc3MiA2LjYwNyAxNS43NzIgMTQuODE1cy03LjAzNyAxNC44MTUtMTUuNzcyIDE0LjgxNXoiLz48cGF0aCBmaWxsPSIjMmZiNjdjIiBzdHJva2U9IiMyZmI2N2MiIGQ9Ik03Ny43NzggMTUuNzcyQzc3Ljc3OCA3LjAzNyA4NC4zODUgMCA5Mi41OTMgMHMxNC44MTUgNy4wMzcgMTQuODE1IDE1Ljc3MnYzOC44MjZjMCA4LjczNS02LjYwNyAxNS43NzItMTQuODE1IDE1Ljc3MnMtMTQuODE1LTcuMDM3LTE0LjgxNS0xNS43NzJ6Ii8+PHBhdGggZmlsbD0iIzM2YzVmMSIgc3Ryb2tlPSIjMzZjNWYxIiBkPSJNMTUuNzcyIDcwLjM3MUM3LjAzNyA3MC4zNzEgMCA2My43NjMgMCA1NS41NTZzNy4wMzctMTQuODE1IDE1Ljc3Mi0xNC44MTVoMzguODI2YzguNzM1IDAgMTUuNzcyIDYuNjA3IDE1Ljc3MiAxNC44MTVzLTcuMDM3IDE0LjgxNS0xNS43NzIgMTQuODE1eiIvPjxnIHN0cm9rZS1saW5lam9pbj0ibWl0ZXIiPjxwYXRoIGZpbGw9IiNlY2IyMmQiIHN0cm9rZT0iI2VjYjIyZCIgZD0iTTc3Ljc3OCAxMzMuMzMzYzAgOC4yMDggNi42MDcgMTQuODE1IDE0LjgxNSAxNC44MTVzMTQuODE1LTYuNjA3IDE0LjgxNS0xNC44MTUtNi42MDctMTQuODE1LTE0LjgxNS0xNC44MTVINzcuNzc4eiIvPjxwYXRoIGZpbGw9IiMyZmI2N2MiIHN0cm9rZT0iIzJmYjY3YyIgZD0iTTEzMy4zMzQgNzAuMzcxaC0xNC44MTVWNTUuNTU2YzAtOC4yMDcgNi42MDctMTQuODE1IDE0LjgxNS0xNC44MTVzMTQuODE1IDYuNjA3IDE0LjgxNSAxNC44MTUtNi42MDcgMTQuODE1LTE0LjgxNSAxNC44MTV6Ii8+PHBhdGggZmlsbD0iI2UwMWU1YSIgc3Ryb2tlPSIjZTAxZTVhIiBkPSJNMTQuODE1IDc3Ljc3OEgyOS42M3YxNC44MTVjMCA4LjIwNy02LjYwNyAxNC44MTUtMTQuODE1IDE0LjgxNVMwIDEwMC44IDAgOTIuNTkzczYuNjA3LTE0LjgxNSAxNC44MTUtMTQuODE1eiIvPjxwYXRoIGZpbGw9IiMzNmM1ZjEiIHN0cm9rZT0iIzM2YzVmMSIgZD0iTTcwLjM3MSAxNC44MTVWMjkuNjNINTUuNTU2Yy04LjIwNyAwLTE0LjgxNS02LjYwNy0xNC44MTUtMTQuODE1UzQ3LjM0OCAwIDU1LjU1NiAwczE0LjgxNSA2LjYwNyAxNC44MTUgMTQuODE1eiIvPjwvZz48L2c+PC9zeW1ib2w+PC9zdmc+"},"displayName":"Slack","typeVersion":2,"nodeCategories":[{"id":6,"name":"Communication"},{"id":28,"name":"HITL"}]},{"id":47,"icon":"file:webhook.svg","name":"n8n-nodes-base.webhook","codex":{"data":{"alias":["HTTP","API","Build","WH"],"resources":{"generic":[{"url":"https://n8n.io/blog/learn-how-to-automatically-cross-post-your-content-with-n8n/","icon":"✍️","label":"Learn how to automatically cross-post your content with n8n"},{"url":"https://n8n.io/blog/running-n8n-on-ships-an-interview-with-maranics/","icon":"🛳","label":"Running n8n on ships: An interview with Maranics"},{"url":"https://n8n.io/blog/how-to-build-a-low-code-self-hosted-url-shortener/","icon":"🔗","label":"How to build a low-code, self-hosted URL shortener in 3 steps"},{"url":"https://n8n.io/blog/what-are-apis-how-to-use-them-with-no-code/","icon":" 🪢","label":"What are APIs and how to use them with no code"},{"url":"https://n8n.io/blog/5-tasks-you-can-automate-with-notion-api/","icon":"⚡️","label":"5 tasks you can automate with the new Notion API "},{"url":"https://n8n.io/blog/how-a-digital-strategist-uses-n8n-for-online-marketing/","icon":"💻","label":"How a digital strategist uses n8n for online marketing"},{"url":"https://n8n.io/blog/the-ultimate-guide-to-automate-your-video-collaboration-with-whereby-mattermost-and-n8n/","icon":"📹","label":"The ultimate guide to automate your video collaboration with Whereby, Mattermost, and n8n"},{"url":"https://n8n.io/blog/how-to-automatically-give-kudos-to-contributors-with-github-slack-and-n8n/","icon":"👏","label":"How to automatically give kudos to contributors with GitHub, Slack, and n8n"},{"url":"https://n8n.io/blog/5-workflow-automations-for-mattermost-that-we-love-at-n8n/","icon":"🤖","label":"5 workflow automations for Mattermost that we love at n8n"},{"url":"https://n8n.io/blog/why-this-product-manager-loves-workflow-automation-with-n8n/","icon":"🧠","label":"Why this Product Manager loves workflow automation with n8n"},{"url":"https://n8n.io/blog/creating-custom-incident-response-workflows-with-n8n/","label":"How to automate every step of an incident response workflow"},{"url":"https://n8n.io/blog/learn-to-build-powerful-api-endpoints-using-webhooks/","icon":"🧰","label":"Learn to Build Powerful API Endpoints Using Webhooks"},{"url":"https://n8n.io/blog/learn-how-to-use-webhooks-with-mattermost-slash-commands/","icon":"🦄","label":"Learn how to use webhooks with Mattermost slash commands"},{"url":"https://n8n.io/blog/how-goomer-automated-their-operations-with-over-200-n8n-workflows/","icon":"🛵","label":"How Goomer automated their operations with over 200 n8n workflows"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.webhook/"}]},"categories":["Development","Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers"]}}},"group":"[\"trigger\"]","defaults":{"name":"Webhook"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0OCIgaGVpZ2h0PSI0OCI+PHBhdGggZmlsbD0iIzM3NDc0ZiIgZD0iTTM1IDM3Yy0yLjIgMC00LTEuOC00LTRzMS44LTQgNC00IDQgMS44IDQgNC0xLjggNC00IDQiLz48cGF0aCBmaWxsPSIjMzc0NzRmIiBkPSJNMzUgNDNjLTMgMC01LjktMS40LTcuOC0zLjdsMy4xLTIuNWMxLjEgMS40IDIuOSAyLjMgNC43IDIuMyAzLjMgMCA2LTIuNyA2LTZzLTIuNy02LTYtNmMtMSAwLTIgLjMtMi45LjdsLTEuNyAxTDIzLjMgMTZsMy41LTEuOSA1LjMgOS40YzEtLjMgMi0uNSAzLS41IDUuNSAwIDEwIDQuNSAxMCAxMFM0MC41IDQzIDM1IDQzIi8+PHBhdGggZmlsbD0iIzM3NDc0ZiIgZD0iTTE0IDQzQzguNSA0MyA0IDM4LjUgNCAzM2MwLTQuNiAzLjEtOC41IDcuNS05LjdsMSAzLjlDOS45IDI3LjkgOCAzMC4zIDggMzNjMCAzLjMgMi43IDYgNiA2czYtMi43IDYtNnYtMmgxNXY0SDIzLjhjLS45IDQuNi01IDgtOS44IDgiLz48cGF0aCBmaWxsPSIjZTkxZTYzIiBkPSJNMTQgMzdjLTIuMiAwLTQtMS44LTQtNHMxLjgtNCA0LTQgNCAxLjggNCA0LTEuOCA0LTQgNCIvPjxwYXRoIGZpbGw9IiMzNzQ3NGYiIGQ9Ik0yNSAxOWMtMi4yIDAtNC0xLjgtNC00czEuOC00IDQtNCA0IDEuOCA0IDQtMS44IDQtNCA0Ii8+PHBhdGggZmlsbD0iI2U5MWU2MyIgZD0ibTE1LjcgMzQtMy40LTIgNS45LTkuN2MtMi0xLjktMy4yLTQuNS0zLjItNy4zIDAtNS41IDQuNS0xMCAxMC0xMHMxMCA0LjUgMTAgMTBjMCAuOS0uMSAxLjctLjMgMi41bC0zLjktMWMuMS0uNS4yLTEgLjItMS41IDAtMy4zLTIuNy02LTYtNnMtNiAyLjctNiA2YzAgMi4xIDEuMSA0IDIuOSA1LjFsMS43IDF6Ii8+PC9zdmc+"},"displayName":"Webhook","typeVersion":2,"nodeCategories":[{"id":5,"name":"Development"},{"id":9,"name":"Core Nodes"}]},{"id":514,"icon":"fa:pause-circle","name":"n8n-nodes-base.wait","codex":{"data":{"alias":["pause","sleep","delay","timeout"],"resources":{"generic":[{"url":"https://n8n.io/blog/how-to-get-started-with-crm-automation-and-no-code-workflow-ideas/","icon":"👥","label":"How to get started with CRM automation (with 3 no-code workflow ideas"},{"url":"https://n8n.io/blog/aws-workflow-automation/","label":"7 no-code workflow automations for Amazon Web Services"}],"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.wait/"}]},"categories":["Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers","Flow"]}}},"group":"[\"organization\"]","defaults":{"name":"Wait","color":"#804050"},"iconData":{"icon":"pause-circle","type":"icon"},"displayName":"Wait","typeVersion":1,"nodeCategories":[{"id":9,"name":"Core Nodes"}]},{"id":535,"icon":"file:webhook.svg","name":"n8n-nodes-base.respondToWebhook","codex":{"data":{"resources":{"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.respondtowebhook/"}]},"categories":["Core Nodes","Utility"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers"]}}},"group":"[\"transform\"]","defaults":{"name":"Respond to Webhook"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0OCIgaGVpZ2h0PSI0OCI+PHBhdGggZmlsbD0iIzM3NDc0ZiIgZD0iTTM1IDM3Yy0yLjIgMC00LTEuOC00LTRzMS44LTQgNC00IDQgMS44IDQgNC0xLjggNC00IDQiLz48cGF0aCBmaWxsPSIjMzc0NzRmIiBkPSJNMzUgNDNjLTMgMC01LjktMS40LTcuOC0zLjdsMy4xLTIuNWMxLjEgMS40IDIuOSAyLjMgNC43IDIuMyAzLjMgMCA2LTIuNyA2LTZzLTIuNy02LTYtNmMtMSAwLTIgLjMtMi45LjdsLTEuNyAxTDIzLjMgMTZsMy41LTEuOSA1LjMgOS40YzEtLjMgMi0uNSAzLS41IDUuNSAwIDEwIDQuNSAxMCAxMFM0MC41IDQzIDM1IDQzIi8+PHBhdGggZmlsbD0iIzM3NDc0ZiIgZD0iTTE0IDQzQzguNSA0MyA0IDM4LjUgNCAzM2MwLTQuNiAzLjEtOC41IDcuNS05LjdsMSAzLjlDOS45IDI3LjkgOCAzMC4zIDggMzNjMCAzLjMgMi43IDYgNiA2czYtMi43IDYtNnYtMmgxNXY0SDIzLjhjLS45IDQuNi01IDgtOS44IDgiLz48cGF0aCBmaWxsPSIjZTkxZTYzIiBkPSJNMTQgMzdjLTIuMiAwLTQtMS44LTQtNHMxLjgtNCA0LTQgNCAxLjggNCA0LTEuOCA0LTQgNCIvPjxwYXRoIGZpbGw9IiMzNzQ3NGYiIGQ9Ik0yNSAxOWMtMi4yIDAtNC0xLjgtNC00czEuOC00IDQtNCA0IDEuOCA0IDQtMS44IDQtNCA0Ii8+PHBhdGggZmlsbD0iI2U5MWU2MyIgZD0ibTE1LjcgMzQtMy40LTIgNS45LTkuN2MtMi0xLjktMy4yLTQuNS0zLjItNy4zIDAtNS41IDQuNS0xMCAxMC0xMHMxMCA0LjUgMTAgMTBjMCAuOS0uMSAxLjctLjMgMi41bC0zLjktMWMuMS0uNS4yLTEgLjItMS41IDAtMy4zLTIuNy02LTYtNnMtNiAyLjctNiA2YzAgMi4xIDEuMSA0IDIuOSA1LjFsMS43IDF6Ii8+PC9zdmc+"},"displayName":"Respond to Webhook","typeVersion":2,"nodeCategories":[{"id":7,"name":"Utility"},{"id":9,"name":"Core Nodes"}]},{"id":565,"icon":"fa:sticky-note","name":"n8n-nodes-base.stickyNote","codex":{"data":{"alias":["Comments","Notes","Sticky"],"categories":["Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers"]}}},"group":"[\"input\"]","defaults":{"name":"Sticky Note","color":"#FFD233"},"iconData":{"icon":"sticky-note","type":"icon"},"displayName":"Sticky Note","typeVersion":1,"nodeCategories":[{"id":9,"name":"Core Nodes"}]},{"id":834,"icon":"file:code.svg","name":"n8n-nodes-base.code","codex":{"data":{"alias":["cpde","Javascript","JS","Python","Script","Custom Code","Function"],"details":"The Code node allows you to execute JavaScript in your workflow.","resources":{"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/core-nodes/n8n-nodes-base.code/"}]},"categories":["Development","Core Nodes"],"nodeVersion":"1.0","codexVersion":"1.0","subcategories":{"Core Nodes":["Helpers","Data Transformation"]}}},"group":"[\"transform\"]","defaults":{"name":"Code"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB3aWR0aD0iNTEyIiBoZWlnaHQ9IjUxMiIgdmlld0JveD0iMCAwIDUxMiA1MTIiIGZpbGw9Im5vbmUiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CjxnIGNsaXAtcGF0aD0idXJsKCNjbGlwMF8xMTcxXzQ0MSkiPgo8cGF0aCBkPSJNMTcwLjI4MyA0OEgxOTYuNUMyMDMuMTI3IDQ4IDIwOC41IDQyLjYyNzQgMjA4LjUgMzZWMTJDMjA4LjUgNS4zNzI1OCAyMDMuMTI3IDAgMTk2LjUgMEgxNzAuMjgzQzEyNi4xIDAgOTAuMjgzIDM1LjgxNzIgOTAuMjgzIDgwVjE3NkM5MC4yODMgMjA2LjkyOCA2NS4yMTA5IDIzMiAzNC4yODMgMjMySDIzQzE2LjM3MjYgMjMyIDExIDIzNy4zNzIgMTEgMjQ0VjI2OEMxMSAyNzQuNjI3IDE2LjM3MjQgMjgwIDIyLjk5OTYgMjgwTDM0LjI4MyAyODBDNjUuMjEwOSAyODAgOTAuMjgzIDMwNS4wNzIgOTAuMjgzIDMzNlY0NDBDOTAuMjgzIDQ3OS43NjQgMTIyLjUxOCA1MTIgMTYyLjI4MyA1MTJIMTk2LjVDMjAzLjEyNyA1MTIgMjA4LjUgNTA2LjYyNyAyMDguNSA1MDBWNDc2QzIwOC41IDQ2OS4zNzMgMjAzLjEyNyA0NjQgMTk2LjUgNDY0SDE2Mi4yODNDMTQ5LjAyOCA0NjQgMTM4LjI4MyA0NTMuMjU1IDEzOC4yODMgNDQwVjMzNkMxMzguMjgzIDMwOS4wMjIgMTI4LjAxMSAyODQuNDQzIDExMS4xNjQgMjY1Ljk2MUMxMDYuMTA5IDI2MC40MTYgMTA2LjEwOSAyNTEuNTg0IDExMS4xNjQgMjQ2LjAzOUMxMjguMDExIDIyNy41NTcgMTM4LjI4MyAyMDIuOTc4IDEzOC4yODMgMTc2VjgwQzEzOC4yODMgNjIuMzI2OSAxNTIuNjEgNDggMTcwLjI4MyA0OFoiIGZpbGw9IiNGRjk5MjIiLz4KPHBhdGggZD0iTTMwNSAzNkMzMDUgNDIuNjI3NCAzMTAuMzczIDQ4IDMxNyA0OEgzNDIuOTc5QzM2MC42NTIgNDggMzc0Ljk3OCA2Mi4zMjY5IDM3NC45NzggODBWMTc2QzM3NC45NzggMjAyLjk3OCAzODUuMjUxIDIyNy41NTcgNDAyLjA5OCAyNDYuMDM5QzQwNy4xNTMgMjUxLjU4NCA0MDcuMTUzIDI2MC40MTYgNDAyLjA5OCAyNjUuOTYxQzM4NS4yNTEgMjg0LjQ0MyAzNzQuOTc4IDMwOS4wMjIgMzc0Ljk3OCAzMzZWNDMyQzM3NC45NzggNDQ5LjY3MyAzNjAuNjUyIDQ2NCAzNDIuOTc5IDQ2NEgzMTdDMzEwLjM3MyA0NjQgMzA1IDQ2OS4zNzMgMzA1IDQ3NlY1MDBDMzA1IDUwNi42MjcgMzEwLjM3MyA1MTIgMzE3IDUxMkgzNDIuOTc5QzM4Ny4xNjEgNTEyIDQyMi45NzggNDc2LjE4MyA0MjIuOTc4IDQzMlYzMzZDNDIyLjk3OCAzMDUuMDcyIDQ0OC4wNTEgMjgwIDQ3OC45NzkgMjgwSDQ5MEM0OTYuNjI3IDI4MCA1MDIgMjc0LjYyOCA1MDIgMjY4VjI0NEM1MDIgMjM3LjM3MyA0OTYuNjI4IDIzMiA0OTAgMjMyTDQ3OC45NzkgMjMyQzQ0OC4wNTEgMjMyIDQyMi45NzggMjA2LjkyOCA0MjIuOTc4IDE3NlY4MEM0MjIuOTc4IDM1LjgxNzIgMzg3LjE2MSAwIDM0Mi45NzkgMEgzMTdDMzEwLjM3MyAwIDMwNSA1LjM3MjU4IDMwNSAxMlYzNloiIGZpbGw9IiNGRjk5MjIiLz4KPC9nPgo8ZGVmcz4KPGNsaXBQYXRoIGlkPSJjbGlwMF8xMTcxXzQ0MSI+CjxyZWN0IHdpZHRoPSI1MTIiIGhlaWdodD0iNTEyIiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo="},"displayName":"Code","typeVersion":2,"nodeCategories":[{"id":5,"name":"Development"},{"id":9,"name":"Core Nodes"}]},{"id":1119,"icon":"fa:robot","name":"@n8n/n8n-nodes-langchain.agent","codex":{"data":{"alias":["LangChain","Chat","Conversational","Plan and Execute","ReAct","Tools"],"resources":{"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/cluster-nodes/root-nodes/n8n-nodes-langchain.agent/"}]},"categories":["AI","Langchain"],"subcategories":{"AI":["Agents","Root Nodes"]}}},"group":"[\"transform\"]","defaults":{"name":"AI Agent","color":"#404040"},"iconData":{"icon":"robot","type":"icon"},"displayName":"AI Agent","typeVersion":3,"nodeCategories":[{"id":25,"name":"AI"},{"id":26,"name":"Langchain"}]},{"id":1145,"icon":"file:anthropic.svg","name":"@n8n/n8n-nodes-langchain.lmChatAnthropic","codex":{"data":{"alias":["claude","sonnet","opus"],"resources":{"primaryDocumentation":[{"url":"https://docs.n8n.io/integrations/builtin/cluster-nodes/sub-nodes/n8n-nodes-langchain.lmchatanthropic/"}]},"categories":["AI","Langchain"],"subcategories":{"AI":["Language Models","Root Nodes"],"Language Models":["Chat Models (Recommended)"]}}},"group":"[\"transform\"]","defaults":{"name":"Anthropic Chat Model"},"iconData":{"type":"file","fileBuffer":"data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSI0NiIgaGVpZ2h0PSIzMiIgZmlsbD0ibm9uZSI+PHBhdGggZmlsbD0iIzdEN0Q4NyIgZD0iTTMyLjczIDBoLTYuOTQ1TDM4LjQ1IDMyaDYuOTQ1ek0xMi42NjUgMCAwIDMyaDcuMDgybDIuNTktNi43MmgxMy4yNWwyLjU5IDYuNzJoNy4wODJMMTkuOTI5IDB6bS0uNzAyIDE5LjMzNyA0LjMzNC0xMS4yNDYgNC4zMzQgMTEuMjQ2eiIvPjwvc3ZnPg=="},"displayName":"Anthropic Chat Model","typeVersion":1,"nodeCategories":[{"id":25,"name":"AI"},{"id":26,"name":"Langchain"}]}],"categories":[{"id":29,"name":"SecOps"},{"id":49,"name":"AI Summarization"}],"image":[]}}