SOAR-Workflow

Workflow of Argus SOAR

Workflows are the part of Argus SOAR where everything comes together. To get started, click the “New workflow” button. A view will pop up asking for a name and (optional) description.

Creating the first workflow

Creating Your First Workflow in Argus SOAR

This guide will walk you through the process of creating your first workflow in Argus SOAR, a Security Orchestration, Automation, and Response (SOAR) platform.

Step 1: Log In and Set Up

1. Access the Platform:
   • In Argus, go to menuà Argus SOARà click on workflow
   • Enter your credentials to log in. (If required)
2. Create a New Workflow:
   • Go to the Workflows tab on the main dashboard.
   • Click on Create New Workflow to start building your first workflow.

Step 2: Define the Workflow Purpose

1. Name Your Workflow:
   • Give your workflow a descriptive name, such as “Automated IP Reputation Check.”
2. Set the Workflow Trigger:
   • Decide what will trigger your workflow. For this example, the trigger could be an IP address being flagged by your SIEM system.

Step 3: Add Nodes to Your Workflow

1. Add a Start Node:
   • This is the first node in your workflow. It could be set to trigger manually or automatically when specific data (e.g., an IP address) is received.
   • Click Add Node and select Start Node. Configure it with a simple action or message to initialize the workflow.
2. Add an Action Node:
   • For the next node, choose an action such as querying an IP reputation service.
   • Click Add Node and select HTTP Request Node.
   • Configure the node to perform an HTTP GET request to a service like VirusTotal. You’ll need to input the URL and any necessary headers or parameters.
3. Add a Data Parsing Node:
   • This node will parse the JSON response from the HTTP request.
   • Click Add Node and select JSON Parser Node.
   • Configure the node to extract the IP reputation score or any relevant data from the response.
4. Add a Conditional Node:
   • This node evaluates the data and decides the next step based on predefined conditions.
   • Click Add Node and select Conditional Node.
   • Set conditions, for example, if the reputation score is above a certain threshold, trigger an alert or remediation action.

Step 4: Set Up a Scheduler

1. Add a Scheduler Node:
   • If you want the workflow to run periodically, add a Scheduler node.
   • Click Add Node and select Scheduler Node.
   • Configure the node to execute the workflow at intervals (e.g., every 24 hours).

Step 5: Test and Deploy the Workflow

1. Test the Workflow:
   • Before deploying, test your workflow to ensure it functions as expected.
   • Use sample data to simulate the workflow process and check the outputs.
2. Deploy the Workflow:
   • Once satisfied, click Save and then Deploy. Your workflow is now active and will run based on the trigger or scheduler configuration.

Getting our IP

To retrieve your public IP address, you can utilize an external service like https://ip.seeip.org/jsonip, which returns your IP in JSON format. For this task, we will employ the HTTP app within Argus SOAR, designed to test connections and integrate various web services. This app supports standard HTTP methods such as GET, POST, PUT, and DELETE, and even allows direct execution of curl commands.

In our workflow, the first node will be connected to both the “First Repeater” and “Get URL” nodes, which can be arranged according to your preference. To add the HTTP app, drag it into the workflow canvas. Then, hover over another node, click the small blue dot, and draw a line to connect them. Once connected, select the “GET” action from the available list.

The GET action requires three parameters, though only the first one is mandatory, as indicated by the orange marking. Paste the desired URL into this field, then save and execute the node.

Parsing the IP from our GET request

Upon successfully executing the HTTP request (via the “Get URL” node) using the URL https://ip.seeip.org/jsonip, the response will return your public IP address in the following

{

  “ip”: “YOUR IP”

}

To enhance our use case, we aim to utilize this IP and output a message such as “My IP is 1.2.3.4” if the IP indeed is 1.2.3.4.

Implementation Steps:

1. Add a New Node:
   • Similar to the previous steps with Node 2, introduce a new node using the “Test” app.
   • For this node, select the “Repeat Back to Me” action.
2. Incorporating the IP Address:
   • This time, we will combine static text with the variable that holds the IP address.
   • Use the standard text field for this purpose.

To reference data from the previous node, follow these guidelines:

2. Start with the $ Symbol: Indicating a variable reference.
3. Reference the Node Name: For example, $Get_URL.
4. Access the JSON Data: To retrieve the IP, append .ip to the node reference: $Get_URL.ip.
5. Complete the Text: Combine the text with the variable to produce: My IP is $Get_URL.ip.
6. Tip: Utilize the dropdown menu feature within Argus SOAR. It will assist in autocompleting the variable references for you, ensuring accuracy and efficiency.

Scheduling the workflow

Scheduling is a crucial component of automation, ensuring that tasks and processes are executed periodically without manual intervention. This is especially important when dealing with systems or services that do not support real-time updates via webhooks. Scheduling allows you to regularly check for updates from various sources, such as ticketing systems, mailboxes, threat intelligence feeds, or any other relevant data streams.

In this context, scheduling will be used to automate the execution of your workflow, allowing it to run at defined intervals and perform actions based on the latest data.

Setting Up a Scheduler in Argus SOAR:

1. Add a Scheduler Node:
   • Begin by dragging the Scheduler node into your workflow.
   • This node can be configured to execute the workflow at specific intervals, such as every hour, daily, or any other frequency that suits your needs.
2. Configure the Scheduler:
   • Specify the interval or time at which the workflow should run.
   • If you need to adjust for time zones or specific business hours, ensure these settings are configured appropriately.
3. Connect the Scheduler to Your Workflow:
   • Link the Scheduler node to the starting node of your workflow, ensuring that it triggers the entire sequence at the scheduled times.
4. Test the Scheduling:
   • Before deploying, test the scheduler by setting a short interval and monitoring the workflow’s execution.
   • Verify that the workflow triggers as expected and processes the data correctly.

Triggers in the Execution View

Within Argus SOAR, triggers are events or conditions that initiate the execution of a workflow. In the execution view, you can monitor and manage these triggers to ensure they are functioning as intended.

1. Types of Triggers:
   • Manual Triggers: Activated by user action, such as clicking a button.
   • Automated Triggers: Initiated by external events, such as receiving an alert from a SIEM system.
   • Scheduled Triggers: As discussed, these are set up through the Scheduler node and run at predefined intervals.
2. Monitoring Triggers:
   • In the execution view, you can observe when and how triggers are activated.
   • This view allows you to track the workflow’s performance, diagnose issues, and make adjustments as needed.
3. Optimizing Triggers:
   • Ensure that triggers are configured to match your operational needs, whether for real-time response or periodic checks.
   • Regularly review the execution view to fine-tune your workflows and optimize automation performance.

Adding a trigger

To initiate workflows automatically, Argus SOAR provides several trigger options. Here’s how to add and configure a trigger:

Finding and Adding Triggers:

1. Locate the Triggers Button:
   • On the left-hand side of the Argus SOAR interface, below the apps section, you’ll find the “Triggers” button. Click on this to reveal the available triggers.
2. Available Trigger Types:
   • Webhook: Executes the workflow in real-time when an external event occurs, such as receiving data from TheHive.
   • Argus SOAR Workflow: Allows you to execute another workflow within Argus SOAR, enabling complex chaining of workflows.
   • User Input: Pauses the workflow execution until a user manually continues it, useful for processes that require human verification or decision-making.
   • Schedule: Automates the workflow to run at specified intervals or times, ideal for periodic checks and updates.
   • Email: Triggers the workflow when an email is received in a designated mailbox, useful for automating responses to specific email communications.
3. Adding and Connecting Triggers:
   • Triggers, like apps, are draggable. Drag your desired trigger into the workflow editor.
   • The schedule trigger, when dragged into the editor, will automatically connect to the starting node, as this is typically where the execution begins. You can modify this connection later if you want the trigger to start a different part of the workflow.

Configuring the Schedule Trigger:

1. Set the Interval:
   • With the schedule node selected, you need to configure two parameters: the interval (time between executions, in seconds) and the execution argument.
   • For example, an interval of 5 will run the workflow every 5 seconds.
2. Utilize the Execution Argument:
   • The “Execution argument” field is located next to the large play button in the editor. Any value placed here becomes accessible to all nodes in the workflow through the $exec variable.
   • For instance, you can enter the following JSON object to pass a URL to the workflow: {“url”: “https://ip.seeip.org/jsonip”}.
   • This URL can then be referenced in the “Get_URL” node, defining the endpoint for the HTTP GET request.

Example Implementation:

• Scheduling in Action:
  • By setting the interval to 5, the workflow is configured to execute every 5 seconds, continuously fetching and processing the IP address from the specified URL.
  • This setup demonstrates how scheduling can be used to automate regular tasks, ensuring that workflows run consistently without manual intervention.