Cross-Provider Workflow

Highlight.io Session Ingestion to Cortex XSOAR Incident

Version 1.0.0

Ingest a Highlight.io session error and open a Cortex XSOAR incident for response.

1 workflow 2 source APIs 2 providers
View Spec View on GitHub ArazzoWorkflowsCross-Provider

Providers Orchestrated

highlight-io palo-alto-networks

Workflows

session-error-to-soar
Ingest a Highlight.io session error and open a Cortex XSOAR incident.
Records a session error into Highlight.io via its public graph mutation API and creates a Cortex XSOAR incident to drive investigation.
2 steps inputs: errorMessage, sessionSecureId outputs: incidentId, ingestStatus
1
ingest-session
$sourceDescriptions.highlightSessionApi.executePublicGraphMutation
Record a session error into Highlight.io via the public graph mutation API.
2
create-incident
$sourceDescriptions.cortexXsoarApi.createIncident
Create a Cortex XSOAR incident for the suspicious session behavior.

Source API Descriptions

openapi
highlightSessionApi https://raw.githubusercontent.com/api-evangelist/highlight-io/refs/heads/main/openapi/highlight-session-ingestion-api-openapi.yml
openapi
cortexXsoarApi https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cortex-xsoar-api-openapi-original.yml

Arazzo Workflow Specification

sec-highlight-session-error-to-xsoar.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Highlight.io Session Ingestion to Cortex XSOAR Incident
  summary: Ingest a Highlight.io session error and open a Cortex XSOAR incident for response.
  description: >-
    An observability-to-response workflow that records a session error into Highlight.io
    through its public graph ingestion API, then creates an incident in Palo Alto Networks
    Cortex XSOAR so a security automation playbook can investigate suspicious client behavior.
    Demonstrates orchestrating a session observability platform with a SOAR platform in a
    single Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: highlightSessionApi
    url: https://raw.githubusercontent.com/api-evangelist/highlight-io/refs/heads/main/openapi/highlight-session-ingestion-api-openapi.yml
    type: openapi
  - name: cortexXsoarApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cortex-xsoar-api-openapi-original.yml
    type: openapi
workflows:
  - workflowId: session-error-to-soar
    summary: Ingest a Highlight.io session error and open a Cortex XSOAR incident.
    description: >-
      Records a session error into Highlight.io via its public graph mutation API and creates
      a Cortex XSOAR incident to drive investigation.
    inputs:
      type: object
      properties:
        sessionSecureId:
          type: string
        errorMessage:
          type: string
    steps:
      - stepId: ingest-session
        description: Record a session error into Highlight.io via the public graph mutation API.
        operationId: $sourceDescriptions.highlightSessionApi.executePublicGraphMutation
        requestBody:
          contentType: application/json
          payload:
            query: "mutation pushPayload($session_secure_id: String!) { pushPayload(session_secure_id: $session_secure_id) }"
            variables:
              session_secure_id: $inputs.sessionSecureId
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          ingestStatus: $statusCode
      - stepId: create-incident
        description: Create a Cortex XSOAR incident for the suspicious session behavior.
        operationId: $sourceDescriptions.cortexXsoarApi.createIncident
        requestBody:
          contentType: application/json
          payload:
            name: Highlight.io session error requires review
            type: Unclassified
            severity: 2
            details: A session error was ingested into Highlight.io and needs security review.
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          incidentId: $response.body#/id
    outputs:
      ingestStatus: $steps.ingest-session.outputs.ingestStatus
      incidentId: $steps.create-incident.outputs.incidentId