AIARCOASC Docs

Workflows (SOAR)

Declarative runbooks that turn detections into actions: enrich, decide, act.

What it is

Workflows is a SOAR engine. Subscribe to a Shield event (WAF block, ATO detection, DSPM finding), enrich with Threat Intel or your own data, decide via a policy or LLM, then act (block IP, rotate a key, page on-call, file a ticket).

When to use it

  • Auto-block IPs that trigger 3 WAF blocks in 5 minutes.
  • On a DSPM 'PII in dev DB' finding, file a Jira and page security.
  • On account-takeover detection, force a password reset.

Quickstart

asc shield workflows create auto-block --trigger waf.block --action 'shield.waf.rules.add({expression:"ip.src eq $event.ip",action:"block",ttl:"1h"})'
client.shield.workflows.create(name='auto-block', trigger='waf.block', steps=[...])
await client.shield.workflows.create({ name: 'auto-block', trigger: 'waf.block', steps: [...] });

Limits & quotas

LimitDefaultBurstNotes
Workflows per project1001,000
Step duration60 sPer step
Audit retention365 days

Pricing

See pricing. Pay-as-you-go, billed monthly via Stripe.

API surface

  • POST /v1/shield/workflows
  • GET /v1/shield/workflows/{id}/runs

Required scope(s): shield:write. See Scopes.

Security

All access is authenticated and scoped. See Auth & scopes and Network controls.