Skip to main content
All CollectionsTemplatesIntermediate
Detected RDP session from Server to External IP (Armis) - Workflow Template
Detected RDP session from Server to External IP (Armis) - Workflow Template

Receive an event from Armis on a Network Policy Violation, lookup source/destination/user information and open Jira ticket and alert user.

Updated over 7 months ago

This Torq workflow template provides a comprehensive solution for responding to network policy violation alerts received from Armis. When an alert is triggered, the workflow sequentially processes it by identifying the source and destination involved in the breach. It gathers detailed information on the source, including user data, traffic, and vulnerabilities, as well as checking the destination IP against VirusTotal for any known issues. Upon collecting this data, a new issue is created in Jira to facilitate investigation and response. Additionally, the workflow attempts to notify the implicated user through Slack if their information is available; otherwise, a notification is sent to a specified Slack channel for broader awareness. This approach ensures prompt action can be taken to rectify the security violation and mitigate risks.

Trigger

Armis

Optional Triggers

Webhook

Use Cases

Remediate Network Security Alerts

Workflow Breakdown

  1. Receive a Network Policy Violation alert from Armis

  2. Loop over Sources and Destinations in the alert

  3. For the Source - gather the logged in user, traffic information and vulnerability of the Source

  4. For the Destination lookup the IP in VirusTotal

  5. Create an issue in Jira with all of the information gathered

  6. If the user is found in Slack send a message to the user, otherwise send to the defined Slack channel

Vendors

Slack, Scripting, Utils, VirusTotal, Jira Cloud, Armis

Workflow Output

Success - Slack message and Jira issue created

Tips

Modify the first set workflow variables step to the match your integrations names and Jira details

Did this answer your question?