Página Inicial Explorar Ajuda
Entrar
tum
/
soc
Observar 1
Favorito 0
Fork 0
Código Problemas 0 Pull Requests 0 Commits 34 Versões 0 Wiki

Nenhuma Descrição

Árvore: 05333224a3
Branches Tags
soc
/
shuffle-work...
/
sample-webho...

sample-webhook-soc-integrator-iris-workflow.md 2.3KB
Histórico Cru

Sample Workflow: Input Trigger -> Condition -> IRIS Ticket

Workflow file:

  • shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json

Purpose

Accept payload data from soc-integrator, evaluate a condition, and create a new IRIS ticket when matched.

Note: In your current environment, Shuffle Tools 1.2.0 does not include the webhook action. This sample uses a supported start node (repeat_back_to_me) and should be triggered via POST /api/v1/workflows/{id}/execute.

Condition in sample:

  • source in ["soc-integrator", "wazuh", "fortigate"]
  • severity in ["high", "critical"]

If condition is not matched, workflow exits without ticket creation.

Import into Shuffle

  1. Open Shuffle UI.
  2. Go to Workflows.
  3. Import workflow JSON:
    • shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json
  4. Save and open the workflow.
  5. Keep the workflow ID for execute API calls.

Update Existing Workflow By ID

To update an already-created workflow (for example 0b2c5b48-0e02-49a3-8e12-2bc892ac15f9) with this template:

SHUFFLE_BASE_URL="http://localhost:5001" \
SHUFFLE_API_KEY="<YOUR_API_KEY>" \
scripts/update-shuffle-workflow-from-template.sh \
0b2c5b48-0e02-49a3-8e12-2bc892ac15f9 \
shuffle-workflows/sample-webhook-soc-integrator-iris-workflow.json

Then open:

  • http://localhost:3001/workflows/0b2c5b48-0e02-49a3-8e12-2bc892ac15f9

Test Execute Payload

curl -sS -X POST "http://localhost:5001/api/v1/workflows/<WORKFLOW_ID>/execute" \
  -H "Authorization: Bearer <SHUFFLE_API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "execution_argument": "{\"event_id\":\"evt-001\",\"source\":\"soc-integrator\",\"severity\":\"high\",\"title\":\"Suspicious VPN login outside Thailand\",\"description\":\"Detected by SOC Integrator rule A3-05\",\"integrator_url\":\"http://soc-integrator:8080\",\"internal_key\":\"\"}"
  }'

soc-integrator Endpoint Used

The sample uses:

  • POST /action/create-iris-case

Base URL is supplied from webhook payload field integrator_url (default in workflow: http://soc-integrator:8080).

Notes

  • If your soc-integrator route is protected, pass internal_key and ensure backend expects X-Internal-Key.
  • You can tighten/replace the match condition by editing the Python code in action Condition Match + Create IRIS Ticket.