Palo Alto Threat Vault and Security Advisory to Slack

arazzo: 1.0.1
info:
  title: Palo Alto Threat Vault and Security Advisory to Slack
  summary: Look up a threat in Threat Vault, fetch its CVE advisory, and alert Slack.
  description: >-
    A threat intelligence workflow that queries Palo Alto Networks Threat Vault for threat
    signatures, retrieves the corresponding security advisory by CVE, and posts a threat
    briefing to a Slack channel so the security team can assess exposure. Demonstrates
    orchestrating two Palo Alto Networks intelligence APIs with a chat platform in a single
    Arazzo workflow.
  version: 1.0.0
sourceDescriptions:
  - name: threatVaultApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-threat-vault-api-openapi-original.yml
    type: openapi
  - name: securityAdvisoryApi
    url: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/openapi/palo-alto-security-advisory-api-openapi-original.yml
    type: openapi
  - name: slackChatApi
    url: https://raw.githubusercontent.com/api-evangelist/slack/refs/heads/main/openapi/slack-chat-openapi.yml
    type: openapi
workflows:
  - workflowId: threat-lookup-and-brief
    summary: Query Threat Vault, fetch the CVE advisory, and post a Slack briefing.
    description: >-
      Queries Palo Alto Threat Vault for a threat, retrieves the matching security advisory
      by CVE, and posts a threat briefing to a Slack channel.
    inputs:
      type: object
      properties:
        threatName:
          type: string
        cve:
          type: string
        slackChannel:
          type: string
    steps:
      - stepId: get-threats
        description: Query Threat Vault for threat signatures matching the search.
        operationId: $sourceDescriptions.threatVaultApi.getThreats
        parameters:
          - name: name
            in: query
            value: $inputs.threatName
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          threatCount: $response.body#/count
      - stepId: get-advisory
        description: Retrieve the security advisory matching the CVE identifier.
        operationId: $sourceDescriptions.securityAdvisoryApi.getAdvisoryByCVE
        parameters:
          - name: cve
            in: path
            value: $inputs.cve
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          advisorySeverity: $response.body#/data/severity
      - stepId: brief-slack
        description: Post the threat briefing to a Slack channel.
        operationId: $sourceDescriptions.slackChatApi.postChatPostmessage
        requestBody:
          contentType: application/x-www-form-urlencoded
          payload:
            channel: $inputs.slackChannel
            text: New Palo Alto threat intelligence briefing is available for review.
        successCriteria:
          - condition: $statusCode == 200
        outputs:
          messageTs: $response.body#/ts
    outputs:
      threatCount: $steps.get-threats.outputs.threatCount
      messageTs: $steps.brief-slack.outputs.messageTs