Workflows (SOAR)
Declarative runbooks that turn detections into actions: enrich, decide, act.
What it is
Workflows is a SOAR engine. Subscribe to a Shield event (WAF block, ATO detection, DSPM finding), enrich with Threat Intel or your own data, decide via a policy or LLM, then act (block IP, rotate a key, page on-call, file a ticket).
When to use it
- Auto-block IPs that trigger 3 WAF blocks in 5 minutes.
- On a DSPM 'PII in dev DB' finding, file a Jira and page security.
- On account-takeover detection, force a password reset.
Quickstart
asc shield workflows create auto-block --trigger waf.block --action 'shield.waf.rules.add({expression:"ip.src eq $event.ip",action:"block",ttl:"1h"})'client.shield.workflows.create(name='auto-block', trigger='waf.block', steps=[...])await client.shield.workflows.create({ name: 'auto-block', trigger: 'waf.block', steps: [...] });Limits & quotas
| Limit | Default | Burst | Notes |
|---|---|---|---|
| Workflows per project | 100 | 1,000 | |
| Step duration | 60 s | — | Per step |
| Audit retention | 365 days | — |
Pricing
See pricing. Pay-as-you-go, billed monthly via Stripe.
API surface
POST /v1/shield/workflowsGET /v1/shield/workflows/{id}/runs
Required scope(s): shield:write. See Scopes.
Security
All access is authenticated and scoped. See Auth & scopes and Network controls.