arazzo: 1.0.1
info:
  title: EmailRep Screen and Report Malicious Sender
  summary: Query an email's reputation and, when the signals show it is malicious, report it back into the reputation graph.
  description: >-
    A closed-loop threat-intelligence pattern. The workflow first queries
    EmailRep for an address, inspects the suspicious flag and the malicious
    activity signals in the details block, and then branches: when the address
    is flagged as malicious it submits a report so the reputation graph picks
    up the freshly observed signal, and when the address is clean it ends
    without reporting. Every step spells out its request inline — including the
    Key authorization header — so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: emailrepApi
  url: ../openapi/emailrep-api-openapi.yml
  type: openapi
workflows:
- workflowId: screen-and-report-malicious
  summary: Query an address, branch on its malicious signals, and report it when bad.
  description: >-
    Looks up the reputation for an email address and reads the suspicious flag
    plus the malicious_activity signal. When either indicates malicious
    behavior the address is reported with the supplied tags; otherwise the
    workflow ends cleanly.
  inputs:
    type: object
    required:
    - apiKey
    - email
    properties:
      apiKey:
        type: string
        description: EmailRep API key passed in the Key header on every request.
      email:
        type: string
        description: The email address to screen and conditionally report.
      tags:
        type: array
        description: Tags classifying the malicious behavior when a report is submitted (e.g. phishing, bec, maldoc).
        items:
          type: string
      description:
        type: string
        description: Optional human-readable context recorded with the report.
  steps:
  - stepId: queryReputation
    description: >-
      Look up the reputation, suspicious flag, and detailed signal block for
      the supplied email address.
    operationId: queryEmailReputation
    parameters:
    - name: Key
      in: header
      value: $inputs.apiKey
    - name: email
      in: path
      value: $inputs.email
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      reputation: $response.body#/reputation
      suspicious: $response.body#/suspicious
      maliciousActivity: $response.body#/details/malicious_activity
      blacklisted: $response.body#/details/blacklisted
    onSuccess:
    - name: senderIsMalicious
      type: goto
      stepId: reportMalicious
      criteria:
      - context: $response.body
        condition: $.suspicious == true || $.details.malicious_activity == true || $.details.blacklisted == true
        type: jsonpath
    - name: senderIsClean
      type: end
      criteria:
      - context: $response.body
        condition: $.suspicious == false && $.details.malicious_activity == false && $.details.blacklisted == false
        type: jsonpath
  - stepId: reportMalicious
    description: >-
      Report the screened address as malicious so the EmailRep reputation graph
      picks up the signal observed during this screening.
    operationId: reportEmail
    parameters:
    - name: Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        email: $inputs.email
        tags: $inputs.tags
        description: $inputs.description
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      reportStatus: $response.body#/status
  outputs:
    reputation: $steps.queryReputation.outputs.reputation
    suspicious: $steps.queryReputation.outputs.suspicious
    reportStatus: $steps.reportMalicious.outputs.reportStatus