naftiko: 1.0.0-alpha2 info: label: Varonis Threat Detection and Response description: Unified workflow capability for SOC analysts performing threat detection, alert triage, and incident response using the Varonis DatAlert API. Combines alert management, forensic event investigation, and threat model reference into a single AI-accessible interface. tags: - Varonis - Data Security - Threat Detection - Incident Response - Security Operations - SOC created: '2026-05-03' modified: '2026-05-06' binds: - namespace: env keys: VARONIS_API_KEY: VARONIS_API_KEY capability: consumes: - type: http namespace: varonis-datalert baseUri: https://{domain}/api description: Varonis DatAlert REST API for threat detection and security alert management. authentication: type: apikey key: X-API-Key value: '{{VARONIS_API_KEY}}' placement: header resources: - name: alerts path: /threatdetection/api/alert/alert description: Security alerts generated by DatAlert threat detection engine. operations: - name: get-alerts method: POST description: Retrieve alerts based on filter criteria including threat model, time range, severity, and status. inputParameters: - name: threatModelName in: body type: array required: false description: Filter by threat model names. - name: startTime in: body type: string required: false description: Start of time range for alert retrieval in ISO 8601 format. - name: endTime in: body type: string required: false description: End of time range for alert retrieval in ISO 8601 format. - name: alertStatus in: body type: array required: false description: Filter by alert status values. - name: alertSeverity in: body type: array required: false description: Filter by alert severity levels. - name: maxResults in: body type: integer required: false description: Maximum number of alerts to return. - name: offset in: body type: integer required: false description: Number of alerts to skip for pagination. outputRawFormat: json outputParameters: - name: alerts type: array value: $.alerts - name: totalCount type: integer value: $.totalCount body: type: json data: maxResults: '{{tools.maxResults}}' offset: '{{tools.offset}}' alertStatus: '{{tools.alertStatus}}' alertSeverity: '{{tools.alertSeverity}}' lastDays: '{{tools.lastDays}}' - name: update-alert-status method: POST description: Update the status of an existing alert to Open or Under Investigation. inputParameters: - name: alertId in: body type: string required: true description: Unique identifier of the alert to update. - name: status in: body type: string required: true description: New status for the alert. - name: note in: body type: string required: false description: Optional note documenting the reason for the status change. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alertId: '{{tools.alertId}}' status: '{{tools.status}}' note: '{{tools.note}}' - name: close-alert method: POST description: Close an alert with a specified resolution reason. inputParameters: - name: alertId in: body type: string required: true description: Unique identifier of the alert to close. - name: closeReason in: body type: string required: true description: Reason for closing the alert. - name: note in: body type: string required: false description: Optional note providing additional context. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alertId: '{{tools.alertId}}' closeReason: '{{tools.closeReason}}' note: '{{tools.note}}' - name: add-alert-note method: POST description: Add an investigation note to an existing alert. inputParameters: - name: alertId in: body type: string required: true description: Unique identifier of the alert. - name: note in: body type: string required: true description: Text content of the note. outputRawFormat: json outputParameters: - name: result type: object value: $. body: type: json data: alertId: '{{tools.alertId}}' note: '{{tools.note}}' - name: events path: /threatdetection/api/alert/alert description: Forensic event data associated with security alerts. operations: - name: get-alerted-events method: POST description: Retrieve underlying events associated with a specific alert for forensic investigation. inputParameters: - name: alertId in: body type: string required: true description: Unique identifier of the alert to retrieve events for. - name: lastDays in: body type: integer required: false description: Retrieve events from the last N days. outputRawFormat: json outputParameters: - name: events type: array value: $.events - name: totalCount type: integer value: $.totalCount body: type: json data: alertId: '{{tools.alertId}}' lastDays: '{{tools.lastDays}}' - name: threat-models path: /threatdetection/api/alert/alert description: Threat model definitions used to generate alerts. operations: - name: get-threat-models method: GET description: Retrieve threat models configured in Varonis DatAlert. inputParameters: - name: name in: query type: string required: false description: Filter threat models by name with wildcard support. outputRawFormat: json outputParameters: - name: threatModels type: array value: $.threatModels exposes: - type: rest port: 8080 namespace: varonis-threat-response-api description: Unified REST API for Varonis threat detection and incident response workflows. resources: - path: /v1/alerts name: alerts description: Security alerts from Varonis DatAlert threat detection. operations: - method: POST name: get-alerts description: Retrieve security alerts with filtering by threat model, severity, status, and time range. call: varonis-datalert.get-alerts with: maxResults: rest.maxResults offset: rest.offset alertStatus: rest.alertStatus alertSeverity: rest.alertSeverity lastDays: rest.lastDays outputParameters: - type: object mapping: $. - path: /v1/alerts/{alertId}/status name: alert-status description: Alert status management. operations: - method: PUT name: update-alert-status description: Update an alert status to Open or Under Investigation. call: varonis-datalert.update-alert-status with: alertId: rest.alertId status: rest.status note: rest.note outputParameters: - type: object mapping: $. - path: /v1/alerts/{alertId}/close name: alert-close description: Close a security alert with resolution reason. operations: - method: POST name: close-alert description: Close an alert with a specified resolution reason. call: varonis-datalert.close-alert with: alertId: rest.alertId closeReason: rest.closeReason note: rest.note outputParameters: - type: object mapping: $. - path: /v1/alerts/{alertId}/notes name: alert-notes description: Investigation notes on alerts. operations: - method: POST name: add-alert-note description: Add an investigation note to an alert. call: varonis-datalert.add-alert-note with: alertId: rest.alertId note: rest.note outputParameters: - type: object mapping: $. - path: /v1/alerts/{alertId}/events name: alert-events description: Forensic events associated with a security alert. operations: - method: GET name: get-alerted-events description: Retrieve forensic events associated with an alert for investigation. call: varonis-datalert.get-alerted-events with: alertId: rest.alertId lastDays: rest.lastDays outputParameters: - type: object mapping: $. - path: /v1/threat-models name: threat-models description: Threat model definitions used to generate alerts. operations: - method: GET name: get-threat-models description: List threat models configured in Varonis DatAlert. call: varonis-datalert.get-threat-models with: name: rest.name outputParameters: - type: object mapping: $. - type: mcp port: 9090 namespace: varonis-threat-response-mcp transport: http description: MCP server for AI-assisted Varonis threat detection and incident response workflows. tools: - name: get-alerts description: Retrieve Varonis DatAlert security alerts with filtering by threat model, severity, status, and time range. hints: readOnly: true openWorld: false call: varonis-datalert.get-alerts with: maxResults: tools.maxResults offset: tools.offset alertStatus: tools.alertStatus alertSeverity: tools.alertSeverity lastDays: tools.lastDays outputParameters: - type: object mapping: $. - name: update-alert-status description: Update the status of a Varonis DatAlert alert to Open or Under Investigation, with optional investigation note. hints: readOnly: false idempotent: true call: varonis-datalert.update-alert-status with: alertId: tools.alertId status: tools.status note: tools.note outputParameters: - type: object mapping: $. - name: close-alert description: Close a Varonis DatAlert alert with a resolution reason such as Resolved, Legitimate activity, or Misconfiguration. hints: readOnly: false idempotent: false call: varonis-datalert.close-alert with: alertId: tools.alertId closeReason: tools.closeReason note: tools.note outputParameters: - type: object mapping: $. - name: add-alert-note description: Add an investigation note to a Varonis DatAlert alert to document findings and remediation steps. hints: readOnly: false idempotent: false call: varonis-datalert.add-alert-note with: alertId: tools.alertId note: tools.note outputParameters: - type: object mapping: $. - name: get-alerted-events description: Retrieve forensic events associated with a Varonis alert for threat hunting and incident investigation. hints: readOnly: true openWorld: true call: varonis-datalert.get-alerted-events with: alertId: tools.alertId lastDays: tools.lastDays outputParameters: - type: object mapping: $. - name: get-threat-models description: List Varonis DatAlert threat model definitions including category, severity, and MITRE ATT&CK alignment. hints: readOnly: true openWorld: false call: varonis-datalert.get-threat-models with: name: tools.name outputParameters: - type: object mapping: $.