AI Sentinel performs a comprehensive security analysis of a Windows machine using Claude AI as the analysis engine. It collects host data via PowerShell and sends it to Claude for threat analysis across 5 phases:
- Event Log Analysis — Critical Windows Event IDs (logon failures, new services, log clearing, scheduled task creation, etc.)
- Process Behavioral Analysis — LOLBin detection, unsigned processes, fileless malware indicators
- Network & Persistence Analysis — External connections, suspicious ports, registry run keys, scheduled tasks, services
- AI Malware Behavioral Scan — Pattern-based malware detection with MITRE ATT&CK TTP mapping
- Threat Summary — Executive report with prioritized remediation steps
collect.ps1— PowerShell data collection script (run on the target machine)sentinel_dashboard.html— AI analysis dashboard (run in any browser)
Open PowerShell as Administrator on the machine you want to analyze:
Set-ExecutionPolicy Bypass -Scope Process
cd "path\to\ai_sentinel"
.\collect.ps1This generates sentinel_data.json in the same directory.
Collection takes ~1-2 minutes depending on event volume.
Optional parameters:
.\collect.ps1 -EventHours 48 -OutputFile "my_scan.json"- Open
sentinel_dashboard.htmlin a browser (Chrome recommended) - Enter your Claude API key (
sk-ant-api03-...) - Optionally describe your environment (helps AI understand what's normal)
- Load the
sentinel_data.jsonfile - Click INITIALIZE THREAT ANALYSIS
Analysis takes 2-3 minutes (5 API calls).
- Windows Event Logs (Security, System, Application, PowerShell, Defender)
- Running processes (signatures, paths, LOLBin detection)
- TCP/UDP network connections
- DNS cache (beacon detection)
- Registry Run keys
- Scheduled tasks
- Windows services
- Startup folder items
- Recent executables in high-risk filesystem paths
- Local users and admins
- System information (OS, Defender status, firewall)
- All data goes to Anthropic's Claude API for analysis
- Nothing is stored permanently; API calls are stateless
- No data is sent anywhere else
- The script is read-only; it never modifies anything on the target machine
- Windows 10/11 or Windows Server 2016+
- PowerShell 5.1+
- Administrator privileges
- Claude API key (https://console.anthropic.com)
- Modern browser (Chrome, Edge, Firefox)
Get a Claude API key at https://console.anthropic.com The key is entered in the dashboard — it never leaves your browser except for API calls.
- Not a replacement for a real EDR/SIEM
- Analysis quality depends on what data was collected
- Some data collection requires admin rights; partial data is collected if run as standard user
- DNS cache beacon detection requires manual review of flagged domains
- File hash lookup against threat intel feeds (VirusTotal) not included by default