Skip to content

SOAR Flows: Incorrect agent selection behavior and missing alert requirement in trigger configuration #1751

New issue
New issue
Open
Open
SOAR Flows: Incorrect agent selection behavior and missing alert requirement in trigger configuration#1751
Assignees
mjabascal10
Labels
needs-triageNeeds to be triaged
@mjabascal10

Description

@mjabascal10
mjabascal10
opened on Feb 2, 2026

Acknowledgements

Describe the bug

In the SOAR Flows view, there are two functional inconsistencies affecting agent selection and trigger behavior

Incorrect Agent Selection Behavior
When the Agent Platform = Windows, the SOAR UI does not allow selecting a default agent.
Additionally, the label “Default Agent” is misleading. The correct terminology should be “Dedicated Agent”, since this agent is explicitly assigned to run the flow.

SOAR flows currently execute by default on the datasource associated with the alert that triggered the flow.
However, if the user configures a trigger without selecting an alert (e.g., using only additional filters), the system has no reliable way to determine which datasource should be used.

This creates ambiguity and may cause the flow to run against the wrong datasource or fail silently.

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

The Flow Trigger configuration should always enforce:

  1. Selecting an Alert Name first
  2. Allowing the user to add any additional trigger conditions afterward

This ensures the system always knows which alert—and therefore which datasource—the flow should operate on.

Current Behavior

Windows agents cannot be selected as the default/dedicated agent
The UI label “Default Agent” is incorrect
Trigger configuration allows flows to be created without specifying an alert, causing datasource ambiguity

Reproduction Steps

  1. Open SOAR → Flows
  2. Create or edit a flow
  3. Set Agent Platform = Windows
  4. Attempt to select a default agent
  5. Configure a trigger without selecting an alert name
  6. Observe that the system cannot determine the datasource

Possible Solution

No response

Additional Information/Context

No response

UTMStack Version

11.2.2

Operating System and version

Ubuntu

Hypervisor and Version | Server Vendor and Model

Browser and version

Google Chrome

Metadata

Metadata

Assignees

Labels

needs-triageNeeds to be triaged

Type

No type

Projects

UTMStack OSS

Status

🏗 In progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions