arazzo: 1.0.1 info: title: Varonis Threat Model Hunt summary: Resolve a threat model by name, pull its recent alerts, and load the newest alert's events. description: >- A threat-hunting workflow that pivots from a threat model definition to the activity it has detected. It resolves the threat model by name (with wildcard support), retrieves recent alerts generated by that model, and then drills into the events behind the newest matching alert. Each step inlines its request so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: datalertApi url: ../openapi/varonis-datalert-openapi.yml type: openapi workflows: - workflowId: threat-model-hunt summary: Pivot from a threat model name to its recent alerts and forensic events. description: >- Looks up a threat model by name, retrieves recent alerts attributed to that model name, and loads the events behind the newest matching alert for forensic review. inputs: type: object required: - apiKey - threatModelName properties: apiKey: type: string description: Varonis DatAlert API key sent in the X-API-Key header. threatModelName: type: string description: >- Threat model name to hunt on. Supports pipe-separated values and wildcard characters for pattern matching. lastDays: type: integer description: How many days back to search for alerts. default: 30 maxResults: type: integer description: Maximum number of alerts to retrieve. default: 100 steps: - stepId: resolveThreatModel description: >- Resolve the threat model definition by name to confirm it exists and to capture its category and severity before hunting on its alerts. operationId: getThreatModels parameters: - name: X-API-Key in: header value: $inputs.apiKey - name: name in: query value: $inputs.threatModelName successCriteria: - condition: $statusCode == 200 outputs: modelId: $response.body#/threatModels/0/id modelName: $response.body#/threatModels/0/name modelSeverity: $response.body#/threatModels/0/severity onSuccess: - name: modelFound type: goto stepId: getModelAlerts criteria: - context: $response.body condition: $.threatModels.length > 0 type: jsonpath - name: modelMissing type: end criteria: - context: $response.body condition: $.threatModels.length == 0 type: jsonpath - stepId: getModelAlerts description: >- Retrieve recent alerts generated by the resolved threat model name in descending time order. operationId: getAlerts parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: threatModelName: - $steps.resolveThreatModel.outputs.modelName lastDays: $inputs.lastDays descendingOrder: true maxResults: $inputs.maxResults successCriteria: - condition: $statusCode == 200 outputs: newestAlertId: $response.body#/alerts/0/id totalCount: $response.body#/totalCount onSuccess: - name: haveAlerts type: goto stepId: getNewestAlertEvents criteria: - context: $response.body condition: $.alerts.length > 0 type: jsonpath - name: noAlerts type: end criteria: - context: $response.body condition: $.alerts.length == 0 type: jsonpath - stepId: getNewestAlertEvents description: >- Load the forensic events behind the newest alert produced by the threat model to understand the detected activity. operationId: getAlertedEvents parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getModelAlerts.outputs.newestAlertId lastDays: $inputs.lastDays descendingOrder: true successCriteria: - condition: $statusCode == 200 outputs: events: $response.body#/events eventCount: $response.body#/totalCount outputs: modelId: $steps.resolveThreatModel.outputs.modelId modelSeverity: $steps.resolveThreatModel.outputs.modelSeverity alertTotalCount: $steps.getModelAlerts.outputs.totalCount newestAlertId: $steps.getModelAlerts.outputs.newestAlertId eventCount: $steps.getNewestAlertEvents.outputs.eventCount