arazzo: 1.0.1 info: title: Varonis High-Severity Model Coverage summary: List threat models, pull alerts for one model, and annotate its newest alert. description: >- A coverage-audit workflow that connects threat model definitions to the alerts they produce. It lists the configured threat models matching a name filter, retrieves the alerts generated by the first matching model, and adds a coverage note to the newest alert so the audit is documented against real activity. Each step inlines its request so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: datalertApi url: ../openapi/varonis-datalert-openapi.yml type: openapi workflows: - workflowId: high-severity-model-coverage summary: Audit a threat model's alert coverage and annotate its newest alert. description: >- Lists threat models matching a name filter, retrieves alerts for the first matching model, and records a coverage note on the newest alert. inputs: type: object required: - apiKey - nameFilter properties: apiKey: type: string description: Varonis DatAlert API key sent in the X-API-Key header. nameFilter: type: string description: >- Threat model name filter. Supports pipe-separated values and wildcard characters for pattern matching. lastDays: type: integer description: How many days back to search for alerts. default: 30 note: type: string description: Coverage note recorded against the newest alert. default: Coverage audit confirmed this threat model is generating alerts. steps: - stepId: listModels description: >- List the threat models matching the name filter to identify which model to audit coverage for. operationId: getThreatModels parameters: - name: X-API-Key in: header value: $inputs.apiKey - name: name in: query value: $inputs.nameFilter successCriteria: - condition: $statusCode == 200 outputs: modelName: $response.body#/threatModels/0/name modelSeverity: $response.body#/threatModels/0/severity onSuccess: - name: haveModel type: goto stepId: getModelAlerts criteria: - context: $response.body condition: $.threatModels.length > 0 type: jsonpath - name: noModel type: end criteria: - context: $response.body condition: $.threatModels.length == 0 type: jsonpath - stepId: getModelAlerts description: >- Retrieve alerts generated by the first matching threat model to confirm it is producing detections. operationId: getAlerts parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: threatModelName: - $steps.listModels.outputs.modelName lastDays: $inputs.lastDays descendingOrder: true successCriteria: - condition: $statusCode == 200 outputs: newestAlertId: $response.body#/alerts/0/id totalCount: $response.body#/totalCount onSuccess: - name: haveAlerts type: goto stepId: annotateNewest criteria: - context: $response.body condition: $.alerts.length > 0 type: jsonpath - name: noAlerts type: end criteria: - context: $response.body condition: $.alerts.length == 0 type: jsonpath - stepId: annotateNewest description: >- Add a coverage note to the newest alert produced by the audited threat model. operationId: addAlertNote parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getModelAlerts.outputs.newestAlertId note: $inputs.note successCriteria: - condition: $statusCode == 200 outputs: noteAdded: $response.body#/success outputs: modelName: $steps.listModels.outputs.modelName modelSeverity: $steps.listModels.outputs.modelSeverity alertTotalCount: $steps.getModelAlerts.outputs.totalCount noteAdded: $steps.annotateNewest.outputs.noteAdded