tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197
							{
  "workflow_as_code": false,
  "actions": [
    {
      "app_name": "Shuffle Tools",
      "app_version": "1.2.0",
      "description": "Accept payload input from workflow execute API (soc-integrator).",
      "app_id": "0671c57b-3af6-43f7-9501-b2f916c127c8",
      "errors": [],
      "id": "f3f0f67c-a63f-4b18-b8be-25128f30f5ec",
      "is_valid": true,
      "isStartNode": true,
      "sharing": true,
      "label": "Input Trigger (SOC Integrator Payload)",
      "public": true,
      "generated": false,
      "large_image": "",
      "environment": "Shuffle",
      "name": "repeat_back_to_me",
      "parameters": [
        {
          "name": "call",
          "value": "{\"event_id\":\"evt-001\",\"source\":\"soc-integrator\",\"severity\":\"high\",\"title\":\"Suspicious event\",\"description\":\"Detected by SOC rule\",\"integrator_url\":\"http://soc-integrator:8080\",\"internal_key\":\"\"}",
          "description": "JSON payload string from soc-integrator.",
          "required": false,
          "multiline": true,
          "multiselect": false,
          "options": null,
          "action_field": "",
          "variant": "",
          "configuration": false,
          "tags": null,
          "schema": {
            "type": ""
          },
          "skip_multicheck": false,
          "value_replace": null,
          "unique_toggled": false,
          "error": "",
          "hidden": false
        }
      ],
      "execution_variable": {
        "description": "",
        "id": "",
        "name": "",
        "value": ""
      },
      "position": {
        "x": 100,
        "y": 120
      },
      "authentication_id": "",
      "category": "",
      "reference_url": "",
      "sub_action": false,
      "run_magic_output": false,
      "run_magic_input": false,
      "execution_delay": 0,
      "category_label": null,
      "suggestion": false,
      "parent_controlled": false,
      "source_workflow": "",
      "source_execution": ""
    },
    {
      "app_name": "Shuffle Tools",
      "app_version": "1.2.0",
      "description": "Condition check + create IRIS ticket through soc-integrator when matched.",
      "app_id": "0671c57b-3af6-43f7-9501-b2f916c127c8",
      "errors": [],
      "id": "b6dce5f3-0315-4e93-a1a2-9cc4e3f6fb8f",
      "is_valid": true,
      "isStartNode": false,
      "sharing": true,
      "label": "Condition Match + Create IRIS Ticket",
      "public": true,
      "generated": false,
      "large_image": "",
      "environment": "Shuffle",
      "name": "execute_python",
      "parameters": [
        {
          "name": "code",
          "value": "import json\\nimport requests\\n\\nraw = str(\"{{actions.f3f0f67c-a63f-4b18-b8be-25128f30f5ec.call}}\" or \"\").strip()\\npayload_in = {}\\nif raw:\\n  try:\\n    payload_in = json.loads(raw)\\n  except Exception:\\n    # If not valid JSON, keep backward compatibility with key=value text.\\n    payload_in = {}\\n\\nevent_id = str(payload_in.get(\"event_id\", \"\")).strip()\\nsource = str(payload_in.get(\"source\", \"\")).strip().lower()\\nseverity = str(payload_in.get(\"severity\", \"\")).strip().lower()\\ntitle = str(payload_in.get(\"title\", \"SOC alert\")).strip()\\ndescription = str(payload_in.get(\"description\", \"\")).strip()\\nintegrator_url = str(payload_in.get(\"integrator_url\", \"http://soc-integrator:8080\")).strip().rstrip(\"/\")\\ninternal_key = str(payload_in.get(\"internal_key\", \"\")).strip()\\n\\nmatch_source = source in {\"soc-integrator\", \"wazuh\", \"fortigate\"}\\nmatch_severity = severity in {\"high\", \"critical\"}\\nmatched = match_source and match_severity\\n\\nresult = {\\n  \"matched\": matched,\\n  \"event_id\": event_id,\\n  \"source\": source,\\n  \"severity\": severity,\\n  \"condition\": \"(source in [soc-integrator,wazuh,fortigate]) AND (severity in [high,critical])\"\\n}\\n\\nif not matched:\\n  result[\"status\"] = \"skipped\"\\n  print(json.dumps(result))\\n  raise SystemExit(0)\\n\\nendpoint = f\"{integrator_url}/action/create-iris-case\"\\n\\npayload = {\\n  \"title\": title,\\n  \"severity\": severity,\\n  \"source\": source,\\n  \"event_id\": event_id,\\n  \"payload\": {\\n    \"description\": description\\n  }\\n}\\n\\nheaders = {\"Content-Type\": \"application/json\"}\\nif internal_key:\\n  headers[\"X-Internal-Key\"] = internal_key\\n\\nresp = requests.post(endpoint, json=payload, headers=headers, timeout=20, verify=False)\\nresult[\"status\"] = \"ticket_create_called\"\\nresult[\"endpoint\"] = endpoint\\nresult[\"http_status\"] = resp.status_code\\ntry:\\n  result[\"response\"] = resp.json()\\nexcept Exception:\\n  result[\"response_text\"] = resp.text[:1200]\\n\\nprint(json.dumps(result))",
          "description": "Parses input JSON and creates IRIS case if matched.",
          "required": true,
          "multiline": true,
          "multiselect": false,
          "options": null,
          "action_field": "",
          "variant": "",
          "configuration": false,
          "tags": null,
          "schema": {
            "type": ""
          },
          "skip_multicheck": false,
          "value_replace": null,
          "unique_toggled": false,
          "error": "",
          "hidden": false
        }
      ],
      "execution_variable": {
        "description": "",
        "id": "",
        "name": "",
        "value": ""
      },
      "position": {
        "x": 460,
        "y": 120
      },
      "authentication_id": "",
      "category": "",
      "reference_url": "",
      "sub_action": false,
      "run_magic_output": false,
      "run_magic_input": false,
      "execution_delay": 0,
      "category_label": null,
      "suggestion": false,
      "parent_controlled": false,
      "source_workflow": "",
      "source_execution": ""
    }
  ],
  "branches": [
    {
      "id": "branch-webhook-to-condition",
      "source": "f3f0f67c-a63f-4b18-b8be-25128f30f5ec",
      "destination": "b6dce5f3-0315-4e93-a1a2-9cc4e3f6fb8f",
      "success": true,
      "label": ""
    }
  ],
  "visual_branches": null,
  "triggers": [],
  "comments": [],
  "configuration": {
    "exit_on_error": false,
    "start_from_top": false,
    "skip_notifications": false
  },
  "created": 1772102400,
  "edited": 1772102400,
  "last_runtime": 0,
  "due_date": 0,
  "id": "6f8d2c8a-6c42-4bc7-9f33-f3e8b42b0b80",
  "is_valid": true,
  "name": "Sample - Webhook from soc-integrator to IRIS Ticket",
  "description": "Receives webhook payload, checks source/severity condition, and creates IRIS ticket via soc-integrator when matched.",
  "start": "f3f0f67c-a63f-4b18-b8be-25128f30f5ec",
  "owner": "root",
  "sharing": "private",
  "org_id": "",
  "workflow_variables": null,
  "execution_environment": "",
  "previously_saved": true,
  "categories": {
    "cases": {
      "name": "cases",
      "count": 0,
      "id": "",
      "description": "",
      "large_image": ""
    }
  },
  "example_argument": "",
  "public": false,
  "default_return_value": "",
  "contact_info": {
    "name": "",
    "url": ""
  },
  "published_id": "",
  "revision_id": "",
  "usecase_ids": null,
  "input_questions": null,
  "form_control": {
    "input_markdown": "",
    "output_yields": null,
    "cleanup_actions": null,
    "form_width": 0
  },
  "blogpost": "",
  "video": "",
  "status": "test",
  "workflow_type": "",
  "generated": false,
  "hidden": false,
  "background_processing": false,
  "updated_by": "root",
  "validated": false
}