# Sample Workflow: Input Trigger -> Condition -> IRIS Ticket

Workflow file:

- `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`

## Purpose

Accept payload data from `soc-integrator`, evaluate a condition, and create a new IRIS ticket when matched.

Note: In your current environment, `Shuffle Tools 1.2.0` does not include the `webhook` action. This sample uses a supported start node (`repeat_back_to_me`) and should be triggered via `POST /api/v1/workflows/{id}/execute`.

Condition in sample:

- `source` in `["soc-integrator", "wazuh", "fortigate"]`
- `severity` in `["high", "critical"]`

If condition is not matched, workflow exits without ticket creation.

## Import into Shuffle

1. Open Shuffle UI.
2. Go to Workflows.
3. Import workflow JSON:
   - `shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json`
4. Save and open the workflow.
5. Keep the workflow ID for execute API calls.

## Update Existing Workflow By ID

To update an already-created workflow (for example `0b2c5b48-0e02-49a3-8e12-2bc892ac15f9`) with this template:

```bash
SHUFFLE_BASE_URL="http://localhost:5001" \
SHUFFLE_API_KEY="<YOUR_API_KEY>" \
scripts/update-shuffle-workflow-from-template.sh \
0b2c5b48-0e02-49a3-8e12-2bc892ac15f9 \
shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json
```

Then open:

- `http://localhost:3001/workflows/0b2c5b48-0e02-49a3-8e12-2bc892ac15f9`

## Test Execute Payload

```bash
curl -sS -X POST "http://localhost:5001/api/v1/workflows/<WORKFLOW_ID>/execute" \
  -H "Authorization: Bearer <SHUFFLE_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "execution_argument": "{\"event_id\":\"evt-001\",\"source\":\"soc-integrator\",\"severity\":\"high\",\"title\":\"Suspicious VPN login outside Thailand\",\"description\":\"Detected by SOC Integrator rule A3-05\",\"integrator_url\":\"http://soc-integrator:8080\",\"internal_key\":\"\"}"
  }'
```

## soc-integrator Endpoint Used

The sample uses:

- `POST /action/create-iris-case`

Base URL is supplied from webhook payload field `integrator_url` (default in workflow: `http://soc-integrator:8080`).

## Notes

- If your `soc-integrator` route is protected, pass `internal_key` and ensure backend expects `X-Internal-Key`.
- You can tighten/replace the match condition by editing the Python code in action `Condition Match + Create IRIS Ticket`.