Built-in Workflow Examples

Energy SOAR ships with ready-to-use n8n workflows. They are pre-installed during setup and immediately available in the Workflows list.

Analyze observables — GeoIP

File: Analyze_observables_GeoIP.json

Runs the GeoIP analyzer on all IP-type observables in open cases and raises the case severity when the source country matches a configured threshold.

Nodes:

1. Cron — triggers on a schedule.

2. Get cases — fetches open cases from Energy SOAR Base.

3. Get observables — fetches observables from each case.

4. Filter public IPs — IF node; skips private address ranges.

5. GeoIP — submits the IP to the Automation GeoIP analyzer.

6. Wait 10s — pauses execution while the analyzer job runs.

7. Get GeoIP Report — polls Automation for the completed job result.

8. IF country=China — example threshold; adjust to match your threat model.

9. Severity=high — updates the case severity in Energy SOAR Base.

10. Add observable tag — tags the observable with the resolved country name.

Customise the IF country node condition to match the countries relevant to your environment.

SLA enforcement

File: SLA.json

Monitors all open cases and escalates any case that has been open for more than 50 days.

Nodes:

1. Cron — triggers on a schedule.

2. Search open cases — fetches all cases with Open status.

3. Function — calculates how many days each case has been open.

4. IF SLA > 50 days — routes cases that exceed the threshold.

5. Update case — sets a flag or changes the severity on breached cases.

Adjust the threshold in the IF SLA > 50 days node condition.

Open case reminder

File: Open_case_reminder.json

Sends a multi-channel notification when a case has been open for more than 7 days. Supports email, SMS (via Sms77), Slack, and a case flag in Energy SOAR Base.

Nodes:

1. Cron — triggers on a schedule.

2. Search open cases — fetches all cases with Open status.

3. Calculate SLA — computes case age in days.

4. IF SLA > 7 days — routes cases past the threshold.

5. Send Email — sends an email reminder to the assigned analyst.

6. Sms77 — sends an SMS alert (requires Sms77 credentials).

7. Slack — posts a message to a configured Slack channel.

8. Flag case — sets the flag on the case in Energy SOAR Base.

Configure the credential blocks for the channels you use; leave unused nodes disconnected.

Vulnerability tickets

File: Vulnerability_Tickets.json

Reads a spreadsheet of vulnerability tickets, matches them to open cases by observable, and updates case severity based on ticket priority.

Nodes:

1. Cron — triggers on a schedule.

2. Get cases — fetches open cases from Energy SOAR Base.

3. Get observables — fetches observables from each case.

4. Read Binary File — reads the vulnerability spreadsheet from disk.

5. Spreadsheet File — parses the spreadsheet into rows.

6. SplitInBatches — processes rows in configurable batch sizes.

7. IF — matches observable values against spreadsheet entries.

8. Change severity — updates case severity on match.

Place the spreadsheet file at the path configured in the Read Binary File node.

Phishing automation

File: Phishing.json

Automated triage for phishing cases. Fetches cases tagged automation_phishing, analyzes URL and attachment observables via Automation, calculates a risk score, and either escalates or closes the case. See the Suspicious E-mail Investigation use case for the full walkthrough.

Correlate alerts

Runs on a schedule and groups alerts that share the same title into a single case. Alerts received within a configurable time window are compared: a new alert whose title matches an existing case is merged into that case; an alert with no match becomes its own case.

Nodes:

1. Cron — triggers every 10 minutes.

2. Set query time — computes the correlation window boundaries (default: 10 minutes).

3. Get Alerts — fetches alerts received within the window.

4. Remove duplicated Alerts — deduplicates the list by title.

5. Set fields — extracts the alert ID and title for matching.

6. Get Alerts by title — queries for existing cases with a matching title.

7. Set time — attaches the query window timestamps to each item.

8. Merge — joins new alerts with existing cases on the title key.

9. Create Case — promotes an unmatched alert to a new case.

10. Correlate into Case — merges a matching alert into the existing case.

Adjust the correlate_minutes value in the Set query time node to change the correlation window.

Unauthorized login

Triggered by the Cortex RunWorkflow responder. Looks up the username from the case observables in a technical accounts list, sends a confirmation email to the account owner, and escalates to the SOC if no response arrives within 60 seconds.

See Unauthorized Access Investigation for the full incident response walkthrough.

Nodes:

1. Start — triggered by the Cortex RunWorkflow responder.

2. Get observables — fetches observables from the triggering case.

3. Pass username — IF node; filters to username-type observables.

4. Read Binary File — reads the technical accounts CSV from disk.

5. Spreadsheet File — parses the CSV into rows.

6. Select username — finds the row matching the observable value.

7. Set — sets the confirmation webhook URL.

8. Send Email — sends a confirmation request to the account owner.

9. Wait — pauses for 60 seconds.

10. Get tasks — fetches tasks from the case.

11. Get notification task — IF node; locates the verification task by title.

12. Get task — retrieves the current task status.

13. Is task completed? — IF node; branches on whether the admin confirmed.

14. Update task — marks the task InProgress.

15. Update field (step=processing) — sets the workflow-step custom field.

16. Send Email (alert) — escalates to the SOC if confirmation is not received.

17. Update field (step=completed) — marks the workflow finished.

Place the technical accounts CSV at the path configured in the Read Binary File node. Update the Send Email nodes with your SOC address.

The companion workflow Webhook - Unauthorized login completes the loop: when an administrator clicks the confirmation link, it marks the verification task as Completed and sets workflow-step=completed on the case.

User added to security-enabled group

Triggered by the Cortex RunWorkflow responder when a user is added to an Active Directory or LDAP security-enabled group. Checks whether the account is a non-admin user, sends a confirmation link to the SOC, waits for a webhook response, and optionally revokes the account session if creation is not confirmed.

Nodes:

1. Start — triggered by the Cortex RunWorkflow responder.

2. Get cases — fetches the triggering case.

3. Energy SOAR Base — fetches case observables.

4. IF1 — filters to username-type observables not tagged admin.

5. Get tasks — fetches case tasks.

6. Switch task — routes to the Confirm creation task.

7. Send Email1 — sends a confirmation link with a webhook URL to the SOC.

8. Set — configures the confirmation webhook URL.

9. Merge — joins case and observable data.

10. Wait — waits for the confirmation webhook response.

11. Check task update — polls the task status.

12. IF — branches on whether the task is Completed.

13. Draft - kill sessions — runs an Automation responder to revoke the user session if creation is not confirmed.

14. Send Email — alerts the SOC if creation was not confirmed in time.

15. Energy SOAR Base1/2/3 — updates the workflow-step custom field.

Update the Send Email and Send Email1 nodes with your SOC address. The companion workflow Webhook - confirm user creation handles the confirmation click: it marks the task as Completed when the SOC follows the link.

Analyze web scan observables

Periodically submits IP-type observables to the Energy Logserver Agent analyzer. Raises case severity on a suspicious result; closes the case when the result is clean.

Nodes:

1. Cron — triggers on a schedule.

2. Get cases — fetches open cases.

3. Get observables — fetches observables from each case.

4. Filter public IPs — IF node; skips private address ranges.

5. Energy Logserver Agent — submits the IP to the Energy Logserver Agent analyzer.

6. Analyze — starts the analyzer job.

7. Wait — pauses 10 seconds while the job runs.

8. Get Report — polls Automation for the completed job result.

9. IF Suspicious — routes on a suspicious result.

10. Severity=high — updates case severity to high on a suspicious match.

11. Add observable tag — tags the observable with the analysis result.

12. Severity=low & close case — sets severity to low and closes the case when the result is clean.

Analyze email

Triggered by the Cortex RunWorkflow responder on cases that contain an email observable. Parses the .eml attachment with the EmlParser analyzer, extracts all embedded observables (IP addresses, URLs, domains, hashes, email addresses), creates them in the case, and submits each type to Automation. Calls the Analyze observables on VT parent sub-workflow to compute a VirusTotal risk score.

Nodes:

1. Start — triggered by the Cortex RunWorkflow responder.

2. get Observables — fetches observables from the case.

3. execute EmlParser — runs the EmlParser analyzer on the email attachment.

4. Get one report / Get reports — waits for the EmlParser result.

5. Create observable (domain/IP/URL/mail/hash) — creates each extracted observable in the case.

6. Get IPs / Get URLs / Get Domains / Get Emails / Get Hashes — separates observables by type.

7. Remove duplicates — deduplicates each observable type.

8. Analyze IP / URL / Email / Hash / Domain / File — submits each type to the corresponding webhook worker workflow.

9. Get risk — calls the Analyze observables on VT parent sub-workflow for VirusTotal scoring.

10. Update task — updates the analysis task status.

11. Set field (workflow.step=completed) — marks the workflow complete.

Imap2case

Polls an IMAP mailbox and converts each new message into an Energy SOAR case. The email subject becomes the case title and the case is created from the Suspicious e-mail template.

Nodes:

1. IMAP Email — polls the SOAR mailbox folder for new messages.

2. Function — extracts attachment metadata from the message.

3. Energy SOAR Base — creates an alert with the email subject as the title.

4. Energy SOAR Base1 — promotes the alert to a case using the Suspicious e-mail template.

5. IF — branches based on whether an attachment is present.

Configure the IMAP credential block with your mailbox details. The folder name defaults to SOAR; update the IMAP Email node if you use a different folder.

System health

Collects operating-system statistics on a schedule and stores them in Energy SOAR Base as internal monitoring records.

Nodes:

1. Cron — triggers on a schedule.

2. Execute Command — runs the statistics script at /opt/energysoar/workflow/script/get_os_stats.py.

3. Create _system_stats entry — stores the result as a stats-type alert with status Ignored in Energy SOAR Base.

Update owner

Finds cases assigned to the workflow@energysoar.local placeholder account and reassigns them to the correct owner by matching case titles against recently resolved cases.

Nodes:

1. Get cases — fetches open cases sorted by case number, descending.

2. Asignee=workflow? — IF node; filters to cases assigned to workflow@energysoar.local.

3. Select 1 case / Limit — processes one case per execution.

4. Set case id — extracts the case ID.

5. Get resolved case — finds a resolved case with the same title.

6. Search by title — joins open and resolved cases on the title key.

7. Set owner — extracts the assignee from the resolved case.

8. Merge — combines case ID and target owner.

9. Update owner — sets the case assignee.

Update tasks

Triggered by the Cortex RunWorkflow responder. Copies the task list from a recently resolved case with the same title into the current open case. Use this workflow to apply a task set from a reference case.

Nodes:

1. Start — triggered by the Cortex RunWorkflow responder.

2. Get case — fetches the triggering case.

3. Get resolved case — finds the most recently resolved case with the same title.

4. Get tasks — fetches tasks from the resolved case.

5. SplitInBatches — processes one task at a time.

6. Add task — copies each task into the open case.

Webhook worker workflows

Five short workflows handle Automation analysis requests dispatched by parent workflows. Each accepts a POST, calls the configured Automation analyzer on the supplied observable, and returns the result.

• Webhook - Cortex Analyze IP — runs the configured IP analyzer.

• Webhook - Cortex Analyze Domain — runs the configured domain analyzer.

• Webhook - Cortex Analyze URL — runs the configured URL analyzer.

• Webhook - Cortex Analyze Email — runs the configured email analyzer.

• Webhook - Cortex Analyze Hash — runs the configured hash analyzer.

These are called internally by Analyze email and similar parent workflows. Update the analyzer ID in each Energy SOAR Base node to swap the underlying analyzer.

Responder RunWorkflow

Bridges Cortex responders and n8n workflows. When the Cortex RunWorkflow responder fires on a case, it posts to the webhook in this workflow, which then calls the target workflow by ID.

Nodes:

1. Webhook — receives the POST from the Cortex RunWorkflow responder.

2. Execute Workflow — runs the workflow whose ID is passed in the workflow_id query parameter.

Case created

Fires automatically when a new case is created in Energy SOAR Base. After an optional delay, it executes a configurable sub-workflow. Use the IF node to restrict execution to specific case types or tags.

Nodes:

1. Trigger — energySoarBaseTrigger; fires on case creation.

2. IF — routes based on a case attribute; configure the condition as needed.

3. Wait — optional delay before proceeding.

4. Execute Workflow — runs the configured sub-workflow.