This Torq workflow template provides a comprehensive solution for responding to network policy violation alerts received from Armis. When an alert is triggered, the workflow sequentially processes it by identifying the source and destination involved in the breach. It gathers detailed information on the source, including user data, traffic, and vulnerabilities, as well as checking the destination IP against VirusTotal for any known issues. Upon collecting this data, a new issue is created in Jira to facilitate investigation and response. Additionally, the workflow attempts to notify the implicated user through Slack if their information is available; otherwise, a notification is sent to a specified Slack channel for broader awareness. This approach ensures prompt action can be taken to rectify the security violation and mitigate risks.
Trigger
Armis
Optional Triggers
Webhook
Use Cases
Remediate Network Security Alerts
Workflow Breakdown
Receive a Network Policy Violation alert from Armis
Loop over Sources and Destinations in the alert
For the Source - gather the logged in user, traffic information and vulnerability of the Source
For the Destination lookup the IP in VirusTotal
Create an issue in Jira with all of the information gathered
If the user is found in Slack send a message to the user, otherwise send to the defined Slack channel
Vendors
Slack, Scripting, Utils, VirusTotal, Jira Cloud, Armis
Workflow Output
Success - Slack message and Jira issue created
Tips
Modify the first set workflow variables step to the match your integrations names and Jira details