arazzo: 1.0.1 info: title: Varonis Device Malicious IP Response summary: Pull a device's newest alert, and if it involves a malicious IP, fetch events and investigate. description: >- A device-scoped response workflow. It retrieves the newest alert for a named device and branches on whether the alert is associated with a known malicious IP address. When the IP is malicious it pulls the underlying events and moves the alert into Under Investigation; otherwise the flow ends. Each step inlines its request so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: datalertApi url: ../openapi/varonis-datalert-openapi.yml type: openapi workflows: - workflowId: device-malicious-ip-response summary: Respond to a device alert only when it involves a known malicious IP. description: >- Retrieves the newest alert for a device, branches on the isMaliciousIP flag, and when malicious pulls events and transitions the alert into Under Investigation. inputs: type: object required: - apiKey - deviceName properties: apiKey: type: string description: Varonis DatAlert API key sent in the X-API-Key header. deviceName: type: string description: Name of the device to check for malicious-IP alerts. lastDays: type: integer description: How many days back to search for alerts. default: 14 note: type: string description: Note recorded when the alert is moved into investigation. default: Device alert involves a known malicious IP; investigating. steps: - stepId: getDeviceAlert description: >- Retrieve the newest alert for the named device, including the malicious-IP flag, to decide whether a response is warranted. operationId: getAlerts parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: deviceName: $inputs.deviceName lastDays: $inputs.lastDays descendingOrder: true maxResults: 1 successCriteria: - condition: $statusCode == 200 outputs: alertId: $response.body#/alerts/0/id isMaliciousIP: $response.body#/alerts/0/isMaliciousIP platform: $response.body#/alerts/0/platform onSuccess: - name: malicious type: goto stepId: getEvents criteria: - context: $response.body condition: $.alerts[0].isMaliciousIP == true type: jsonpath - name: notMalicious type: end criteria: - context: $response.body condition: $.alerts[0].isMaliciousIP == false type: jsonpath - stepId: getEvents description: >- Load the forensic events behind the malicious-IP alert to understand the operations performed from that address. operationId: getAlertedEvents parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getDeviceAlert.outputs.alertId lastDays: $inputs.lastDays descendingOrder: true successCriteria: - condition: $statusCode == 200 outputs: events: $response.body#/events eventCount: $response.body#/totalCount - stepId: markInvestigating description: >- Transition the malicious-IP alert into Under Investigation status with a response note. operationId: updateAlertStatus parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getDeviceAlert.outputs.alertId status: Under Investigation note: $inputs.note successCriteria: - condition: $statusCode == 200 outputs: statusUpdated: $response.body#/success outputs: alertId: $steps.getDeviceAlert.outputs.alertId platform: $steps.getDeviceAlert.outputs.platform eventCount: $steps.getEvents.outputs.eventCount statusUpdated: $steps.markInvestigating.outputs.statusUpdated