arazzo: 1.0.1
info:
  title: Sysdig Author Falco Rule and Attach to Policy
  summary: Create a custom Falco rule, then create a policy that references it.
  description: >-
    A detection authoring flow for Sysdig Secure. It creates a custom Falco rule
    from a condition expression, confirms the rule by reading it back, and then
    creates a runtime security policy whose ruleNames reference the new rule so
    the detection is actively enforced. Every step spells out its request inline
    so the flow can be read and executed without opening the underlying OpenAPI
    description.
  version: 1.0.0
sourceDescriptions:
- name: sysdigSecure
  url: ../openapi/sysdig-secure-openapi.yml
  type: openapi
workflows:
- workflowId: author-falco-rule-and-attach-policy
  summary: Create a Falco rule and wire it into an enforcing policy.
  description: >-
    Creates a custom Falco rule, reads it back to confirm it persisted, and then
    creates a falco-type policy that references the rule by name.
  inputs:
    type: object
    required:
    - bearerToken
    - ruleName
    - condition
    - output
    - policyName
    properties:
      bearerToken:
        type: string
        description: Sysdig API bearer token used for Authorization.
      ruleName:
        type: string
        description: Name of the custom Falco rule.
      condition:
        type: string
        description: Falco condition expression that triggers the rule.
      output:
        type: string
        description: Output message emitted when the rule fires.
      priority:
        type: string
        description: Falco priority level (e.g. WARNING, CRITICAL).
        default: WARNING
      policyName:
        type: string
        description: Name of the policy that will enforce the rule.
  steps:
  - stepId: createRule
    description: Create the custom Falco rule from the supplied condition.
    operationId: createFalcoRule
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.bearerToken
    requestBody:
      contentType: application/json
      payload:
        rule:
          name: $inputs.ruleName
          condition: $inputs.condition
          output: $inputs.output
          priority: $inputs.priority
          enabled: true
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      ruleId: $response.body#/rule/id
      ruleName: $response.body#/rule/name
  - stepId: verifyRule
    description: Read the rule back by id to confirm it persisted.
    operationId: getFalcoRule
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.bearerToken
    - name: ruleId
      in: path
      value: $steps.createRule.outputs.ruleId
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      ruleName: $response.body#/rule/name
  - stepId: createPolicy
    description: Create a falco-type policy that references the new rule by name.
    operationId: createPolicy
    parameters:
    - name: Authorization
      in: header
      value: Bearer $inputs.bearerToken
    requestBody:
      contentType: application/json
      payload:
        policy:
          name: $inputs.policyName
          severity: 4
          enabled: true
          type: falco
          ruleNames:
          - $steps.verifyRule.outputs.ruleName
    successCriteria:
    - condition: $statusCode == 201
    outputs:
      policyId: $response.body#/policy/id
  outputs:
    ruleId: $steps.createRule.outputs.ruleId
    policyId: $steps.createPolicy.outputs.policyId