naftiko: 1.0.0-alpha2 info: label: Stellar Cyber Security Operations description: Unified security operations workflow combining Stellar Cyber's Open XDR API capabilities for incident response, threat hunting, case management, and automated playbook execution. Designed for SOC analysts and security engineers who need to investigate alerts, manage cases, monitor sensors, and automate response actions. tags: - Stellar Cyber - Cybersecurity - SOC - Incident Response - Threat Hunting - SOAR created: '2026-05-02' modified: '2026-05-06' binds: - namespace: env keys: STELLAR_CYBER_JWT_TOKEN: STELLAR_CYBER_JWT_TOKEN STELLAR_CYBER_HOSTNAME: STELLAR_CYBER_HOSTNAME capability: consumes: - type: http namespace: stellar-cyber baseUri: https://{{env.STELLAR_CYBER_HOSTNAME}}/connect/api/v1 description: Stellar Cyber Open XDR platform REST API authentication: type: bearer token: '{{env.STELLAR_CYBER_JWT_TOKEN}}' resources: - name: authentication path: /access_token description: JWT token generation from API key operations: - name: get-access-token method: POST description: Generate a JWT access token using an API key outputRawFormat: json outputParameters: - name: result type: object value: $. - name: cases path: /cases description: Security case management operations: - name: list-cases method: GET description: Retrieve a list of security cases inputParameters: - name: limit in: query type: integer required: false description: Maximum number of cases to return - name: offset in: query type: integer required: false description: Pagination offset - name: status in: query type: string required: false description: Filter by status outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-case method: POST description: Create a new security case outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' description: '{{tools.description}}' priority: '{{tools.priority}}' - name: case path: /cases/{caseId} description: Individual case management operations: - name: get-case method: GET description: Retrieve details of a specific case inputParameters: - name: caseId in: path type: string required: true description: Unique case identifier outputRawFormat: json outputParameters: - name: result type: object value: $. - name: update-case method: PUT description: Update case status and attributes inputParameters: - name: caseId in: path type: string required: true description: Unique case identifier outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: status: '{{tools.status}}' priority: '{{tools.priority}}' - name: tenants path: /tenants description: Multi-tenant administration operations: - name: list-tenants method: GET description: Retrieve all tenants outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-tenant method: POST description: Create a new tenant outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' description: '{{tools.description}}' - name: connectors path: /connectors description: Data connector management operations: - name: list-connectors method: GET description: Retrieve all configured connectors outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-connector method: POST description: Create a new data connector outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' type: '{{tools.type}}' - name: alerts path: /alerts description: Alert management operations: - name: list-alerts method: GET description: Retrieve security alerts inputParameters: - name: limit in: query type: integer required: false description: Maximum number of alerts to return - name: status in: query type: string required: false description: Filter by alert status outputRawFormat: json outputParameters: - name: result type: object value: $. - name: events path: /events description: Security event ingestion operations: - name: ingest-events method: POST description: Ingest security event documents into the platform outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: events: '{{tools.events}}' - name: watchlists path: /watchlists description: Watchlist management operations: - name: list-watchlists method: GET description: Retrieve all watchlists outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-watchlist method: POST description: Create a new watchlist outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' entries: '{{tools.entries}}' - name: sensors path: /sensors description: Sensor monitoring operations: - name: list-sensors method: GET description: Retrieve all registered sensors outputRawFormat: json outputParameters: - name: result type: object value: $. - name: reports path: /reports description: Security report management operations: - name: list-reports method: GET description: Retrieve available security reports outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-report method: POST description: Generate a new security report outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' type: '{{tools.type}}' - name: playbooks path: /playbooks description: ATH Playbook response actions operations: - name: list-playbooks method: GET description: Retrieve all playbooks outputRawFormat: json outputParameters: - name: result type: object value: $. - name: create-playbook method: POST description: Create a new ATH Playbook response action outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: name: '{{tools.name}}' trigger: '{{tools.trigger}}' actions: '{{tools.actions}}' exposes: - type: rest port: 8080 namespace: security-operations-api description: Unified REST API for Stellar Cyber security operations workflows. resources: - path: /v1/cases name: cases description: Security case management operations operations: - method: GET name: list-cases description: List security cases with optional status filtering call: stellar-cyber.list-cases with: limit: rest.limit offset: rest.offset status: rest.status outputParameters: - type: object mapping: $. - method: POST name: create-case description: Create a new security case for investigation call: stellar-cyber.create-case with: name: rest.name description: rest.description priority: rest.priority outputParameters: - type: object mapping: $. - path: /v1/cases/{id} name: case description: Individual case operations operations: - method: GET name: get-case description: Retrieve details of a specific case call: stellar-cyber.get-case with: caseId: rest.id outputParameters: - type: object mapping: $. - method: PUT name: update-case description: Update case status and attributes call: stellar-cyber.update-case with: caseId: rest.id status: rest.status priority: rest.priority outputParameters: - type: object mapping: $. - path: /v1/alerts name: alerts description: Security alert management operations: - method: GET name: list-alerts description: Retrieve security alerts with filtering call: stellar-cyber.list-alerts with: limit: rest.limit status: rest.status outputParameters: - type: object mapping: $. - path: /v1/events name: events description: Security event ingestion operations: - method: POST name: ingest-events description: Ingest security event documents call: stellar-cyber.ingest-events with: events: rest.events outputParameters: - type: object mapping: $. - path: /v1/watchlists name: watchlists description: Threat watchlist management operations: - method: GET name: list-watchlists description: Retrieve all watchlists call: stellar-cyber.list-watchlists outputParameters: - type: object mapping: $. - method: POST name: create-watchlist description: Create a watchlist for threat tracking call: stellar-cyber.create-watchlist with: name: rest.name entries: rest.entries outputParameters: - type: object mapping: $. - path: /v1/sensors name: sensors description: Security sensor monitoring operations: - method: GET name: list-sensors description: List all registered sensors call: stellar-cyber.list-sensors outputParameters: - type: object mapping: $. - path: /v1/playbooks name: playbooks description: Automated response playbooks operations: - method: GET name: list-playbooks description: List all ATH playbooks call: stellar-cyber.list-playbooks outputParameters: - type: object mapping: $. - method: POST name: create-playbook description: Create a new automated response playbook call: stellar-cyber.create-playbook with: name: rest.name trigger: rest.trigger actions: rest.actions outputParameters: - type: object mapping: $. - path: /v1/reports name: reports description: Security reporting operations: - method: GET name: list-reports description: Retrieve available security reports call: stellar-cyber.list-reports outputParameters: - type: object mapping: $. - method: POST name: create-report description: Generate a new security report call: stellar-cyber.create-report with: name: rest.name type: rest.type outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: security-operations-mcp transport: http description: MCP server for AI-assisted security operations on Stellar Cyber Open XDR. tools: - name: list-cases description: Retrieve security cases from Stellar Cyber. Use for investigating ongoing incidents and tracking case status. hints: readOnly: true openWorld: true call: stellar-cyber.list-cases with: limit: tools.limit status: tools.status outputParameters: - type: object mapping: $. - name: create-case description: Create a new security case in Stellar Cyber. Use when an alert or event requires formal investigation and tracking. hints: readOnly: false destructive: false call: stellar-cyber.create-case with: name: tools.name description: tools.description priority: tools.priority outputParameters: - type: object mapping: $. - name: get-case description: Get detailed information about a specific security case by ID. hints: readOnly: true openWorld: true call: stellar-cyber.get-case with: caseId: tools.caseId outputParameters: - type: object mapping: $. - name: update-case description: Update a security case status, priority, or other attributes. Use to progress cases through investigation workflows. hints: readOnly: false destructive: false call: stellar-cyber.update-case with: caseId: tools.caseId status: tools.status priority: tools.priority outputParameters: - type: object mapping: $. - name: list-alerts description: Retrieve security alerts from Stellar Cyber Open XDR. Use for alert triage and identifying threats requiring investigation. hints: readOnly: true openWorld: true call: stellar-cyber.list-alerts with: limit: tools.limit status: tools.status outputParameters: - type: object mapping: $. - name: ingest-events description: Ingest custom security event documents into Stellar Cyber for analysis and correlation. hints: readOnly: false destructive: false call: stellar-cyber.ingest-events with: events: tools.events outputParameters: - type: object mapping: $. - name: list-watchlists description: Retrieve all threat watchlists. Use to check what indicators and entities are currently being monitored. hints: readOnly: true openWorld: true call: stellar-cyber.list-watchlists outputParameters: - type: object mapping: $. - name: create-watchlist description: Create a new watchlist for tracking threat indicators such as malicious IPs, domains, or file hashes. hints: readOnly: false destructive: false call: stellar-cyber.create-watchlist with: name: tools.name entries: tools.entries outputParameters: - type: object mapping: $. - name: list-sensors description: List all sensors registered with Stellar Cyber. Use to check sensor health and coverage across the environment. hints: readOnly: true openWorld: true call: stellar-cyber.list-sensors outputParameters: - type: object mapping: $. - name: list-playbooks description: Retrieve all automated response playbooks. Use to review available automation workflows for threat response. hints: readOnly: true openWorld: true call: stellar-cyber.list-playbooks outputParameters: - type: object mapping: $. - name: create-playbook description: Create a new ATH Playbook response action for automated threat response. hints: readOnly: false destructive: false call: stellar-cyber.create-playbook with: name: tools.name trigger: tools.trigger actions: tools.actions outputParameters: - type: object mapping: $. - name: list-reports description: List available security reports. Use for compliance reporting and security posture reviews. hints: readOnly: true openWorld: true call: stellar-cyber.list-reports outputParameters: - type: object mapping: $. - name: create-report description: Generate a new security report for compliance or executive reporting. hints: readOnly: false destructive: false call: stellar-cyber.create-report with: name: tools.name type: tools.type outputParameters: - type: object mapping: $.