Palo Alto Cortex XDR Incident to GitHub Issue

arazzo: 1.0.1
info:
  title: Palo Alto Cortex XDR Incident to GitHub Issue
  summary: Pull a Cortex XDR incident with extra data and open a GitHub tracking issue.
  description: >-
    A security operations workflow that retrieves open incidents from Palo Alto Networks
    Cortex XDR, fetches the extended detail for the most relevant incident, and opens a
    GitHub issue so the engineering team can track investigation and remediation.
    Demonstrates orchestrating an extended detection and response platform with a code host
    in a single Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: cortexXdrApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-cortex-xdr-api-openapi-original.yml
    type: openapi
  - name: githubRepoIssuesApi
    url: https://raw.githubusercontent.com/api-evangelist/github/refs/heads/main/openapi/github-repo-issues-api-openapi.yml
    type: openapi
workflows:
  - workflowId: xdr-incident-to-issue
    summary: Get a Cortex XDR incident and its detail, then open a GitHub issue.
    description: >-
      Retrieves incidents from Cortex XDR, pulls extra data for an incident, and creates a
      GitHub issue to track the investigation.
    inputs:
      type: object
      properties:
        incidentId:
          type: string
        owner:
          type: string
        repo:
          type: string
    steps:
      - stepId: get-incidents
        description: Retrieve open incidents from Cortex XDR.
        operationId: $sourceDescriptions.cortexXdrApi.getIncidents
        requestBody:
          contentType: application/json
          payload:
            request_data:
              filters: []
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          totalCount: $response.body#/reply/total_count
      - stepId: get-incident-detail
        description: Fetch extended detail for the targeted Cortex XDR incident.
        operationId: $sourceDescriptions.cortexXdrApi.getIncidentExtraData
        requestBody:
          contentType: application/json
          payload:
            request_data:
              incident_id: $inputs.incidentId
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          severity: $response.body#/reply/incident/severity
          description: $response.body#/reply/incident/description
      - stepId: open-issue
        description: Open a GitHub issue to track the Cortex XDR incident.
        operationId: $sourceDescriptions.githubRepoIssuesApi.createAnIssue
        parameters:
          - name: owner
            in: path
            value: $inputs.owner
          - name: repo
            in: path
            value: $inputs.repo
        requestBody:
          contentType: application/json
          payload:
            title: Cortex XDR incident requires investigation
            body: A Cortex XDR incident was detected and needs engineering follow-up.
            labels:
              - security
              - incident
        successCriteria:
          - condition: $statusCode == 201
        outputs:
          issueNumber: $response.body#/number
          issueUrl: $response.body#/html_url
    outputs:
      severity: $steps.get-incident-detail.outputs.severity
      issueUrl: $steps.open-issue.outputs.issueUrl