arazzo: 1.0.1
info:
  title: GreyNoise GNQL Investigate Top Result
  summary: Run a GNQL query, then pull full context for the first matching IP.
  description: >-
    Runs a GreyNoise Query Language (GNQL) search across the GreyNoise dataset,
    confirms at least one result was returned, and then retrieves the full IP
    context for the first matching IP address. This chains a broad hunt into a
    focused, single-IP investigation. Every step spells out its request inline
    so the flow can be read and executed without opening the underlying OpenAPI
    description.
  version: 1.0.0
sourceDescriptions:
- name: greynoiseApi
  url: ../openapi/greynoise-openapi.yml
  type: openapi
workflows:
- workflowId: gnql-investigate-top-result
  summary: GNQL search then deep-context the first matching IP.
  description: >-
    Executes a GNQL query, checks that results exist, and fetches the full IP
    context for the first result so the top hit can be investigated in detail.
  inputs:
    type: object
    required:
    - apiKey
    - query
    properties:
      apiKey:
        type: string
        description: GreyNoise API key passed via the 'key' HTTP header.
      query:
        type: string
        description: The GNQL query string (e.g. tags:Mirai classification:malicious).
      size:
        type: integer
        description: Number of results per page to return from the query.
        default: 10
  steps:
  - stepId: runQuery
    description: >-
      Execute the GNQL query against the GreyNoise dataset and return matching
      IP records along with request metadata.
    operationId: gnqlV3Query
    parameters:
    - name: key
      in: header
      value: $inputs.apiKey
    - name: query
      in: query
      value: $inputs.query
    - name: size
      in: query
      value: $inputs.size
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      count: $response.body#/request_metadata/count
      firstIp: $response.body#/data/0/ip
    onSuccess:
    - name: haveResults
      type: goto
      stepId: contextFirst
      criteria:
      - context: $response.body
        condition: $.data.length > 0
        type: jsonpath
    - name: noResults
      type: end
      criteria:
      - context: $response.body
        condition: $.data.length == 0
        type: jsonpath
  - stepId: contextFirst
    description: >-
      Retrieve the full IP context for the first IP returned by the GNQL query,
      including metadata, associated actor, activity tags, and raw scan data.
    operationId: V3IP
    parameters:
    - name: key
      in: header
      value: $inputs.apiKey
    - name: ip
      in: path
      value: $steps.runQuery.outputs.firstIp
    - name: quick
      in: query
      value: false
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      ip: $response.body#/ip
      classification: $response.body#/internet_scanner_intelligence/classification
      actor: $response.body#/internet_scanner_intelligence/actor
  outputs:
    count: $steps.runQuery.outputs.count
    firstIp: $steps.runQuery.outputs.firstIp
    classification: $steps.contextFirst.outputs.classification
    actor: $steps.contextFirst.outputs.actor