arazzo: 1.0.1 info: title: Varonis Triage Newest Alert summary: Pull the newest open alert, load its forensic events, and move it into investigation. description: >- A core DatAlert triage loop for a SOC analyst. The workflow retrieves the most recent open alerts for a user or device, selects the newest one, pulls the underlying forensic events that drove the detection, and then transitions the alert into the Under Investigation status so the rest of the team knows it is being worked. Every step inlines its request so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: datalertApi url: ../openapi/varonis-datalert-openapi.yml type: openapi workflows: - workflowId: triage-newest-alert summary: Find the newest open alert, fetch its events, and mark it Under Investigation. description: >- Searches DatAlert for open alerts in a recent window, takes the newest alert returned, retrieves its alerted events for forensic context, and updates the alert status to Under Investigation with a triage note. inputs: type: object required: - apiKey properties: apiKey: type: string description: Varonis DatAlert API key sent in the X-API-Key header. lastDays: type: integer description: How many days back to search for open alerts. default: 7 maxResults: type: integer description: Maximum number of alerts to scan when selecting the newest. default: 50 triageNote: type: string description: Note documenting why the alert is being investigated. default: Alert picked up for triage by automated workflow. steps: - stepId: getOpenAlerts description: >- Retrieve open alerts from the recent window in descending time order so the newest open alert is first in the response. operationId: getAlerts parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertStatus: - Open lastDays: $inputs.lastDays descendingOrder: true maxResults: $inputs.maxResults successCriteria: - condition: $statusCode == 200 outputs: alertId: $response.body#/alerts/0/id alertSeverity: $response.body#/alerts/0/severity totalCount: $response.body#/totalCount onSuccess: - name: haveAlert type: goto stepId: getEvents criteria: - context: $response.body condition: $.alerts.length > 0 type: jsonpath - name: noAlerts type: end criteria: - context: $response.body condition: $.alerts.length == 0 type: jsonpath - stepId: getEvents description: >- Retrieve the forensic events behind the selected alert to understand the scope of the activity before investigating. operationId: getAlertedEvents parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getOpenAlerts.outputs.alertId descendingOrder: true successCriteria: - condition: $statusCode == 200 outputs: events: $response.body#/events eventCount: $response.body#/totalCount - stepId: markInvestigating description: >- Transition the alert into Under Investigation status and record a triage note so the rest of the team can see it is being worked. operationId: updateAlertStatus parameters: - name: X-API-Key in: header value: $inputs.apiKey requestBody: contentType: application/json payload: alertId: $steps.getOpenAlerts.outputs.alertId status: Under Investigation note: $inputs.triageNote successCriteria: - condition: $statusCode == 200 outputs: success: $response.body#/success message: $response.body#/message outputs: alertId: $steps.getOpenAlerts.outputs.alertId alertSeverity: $steps.getOpenAlerts.outputs.alertSeverity eventCount: $steps.getEvents.outputs.eventCount statusUpdated: $steps.markInvestigating.outputs.success