Palo Alto Cortex XDR Endpoint Isolation and Slack Notify

arazzo: 1.0.1
info:
  title: Palo Alto Cortex XDR Endpoint Isolation and Slack Notify
  summary: Read Cortex XDR alerts, isolate a compromised endpoint, and notify Slack.
  description: >-
    An incident containment workflow that retrieves alerts from Palo Alto Networks Cortex XDR,
    isolates a compromised endpoint to contain the threat, and posts a containment notification
    to a Slack channel so responders are informed. Demonstrates orchestrating an extended
    detection and response platform with a chat platform in a single Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: cortexXdrApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cortex-xdr-api-openapi-original.yml
    type: openapi
  - name: slackChatApi
    url: https://raw.githubusercontent.com/api-evangelist/slack/refs/heads/main/openapi/slack-chat-openapi.yml
    type: openapi
workflows:
  - workflowId: isolate-endpoint-notify
    summary: Read Cortex XDR alerts, isolate an endpoint, and notify Slack.
    description: >-
      Retrieves Cortex XDR alerts, isolates a compromised endpoint to contain the threat, and
      posts a Slack containment notification.
    inputs:
      type: object
      properties:
        endpointId:
          type: string
        slackChannel:
          type: string
    steps:
      - stepId: get-alerts
        description: Retrieve alerts from Cortex XDR.
        operationId: $sourceDescriptions.cortexXdrApi.getAlerts
        requestBody:
          contentType: application/json
          payload:
            request_data:
              filters: []
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          alertCount: $response.body#/reply/total_count
      - stepId: isolate-endpoint
        description: Isolate the compromised endpoint to contain the threat.
        operationId: $sourceDescriptions.cortexXdrApi.isolateEndpoints
        requestBody:
          contentType: application/json
          payload:
            request_data:
              endpoint_id: $inputs.endpointId
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          actionId: $response.body#/reply/action_id
      - stepId: notify-slack
        description: Post a Slack notification confirming endpoint containment.
        operationId: $sourceDescriptions.slackChatApi.postChatPostmessage
        requestBody:
          contentType: application/x-www-form-urlencoded
          payload:
            channel: $inputs.slackChannel
            text: A compromised endpoint was isolated via Cortex XDR.
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          messageTs: $response.body#/ts
    outputs:
      alertCount: $steps.get-alerts.outputs.alertCount
      actionId: $steps.isolate-endpoint.outputs.actionId
      messageTs: $steps.notify-slack.outputs.messageTs