Varonis · Arazzo Workflow

Varonis Device Malicious IP Response

Version 1.0.0

Pull a device's newest alert, and if it involves a malicious IP, fetch events and investigate.

1 workflow 1 source API 1 provider
View Spec View on GitHub Cloud SecurityComplianceData AnalyticsData GovernanceData SecurityThreat DetectionArazzoWorkflows

Provider

varonis

Workflows

device-malicious-ip-response
Respond to a device alert only when it involves a known malicious IP.
Retrieves the newest alert for a device, branches on the isMaliciousIP flag, and when malicious pulls events and transitions the alert into Under Investigation.
3 steps inputs: apiKey, deviceName, lastDays, note outputs: alertId, eventCount, platform, statusUpdated
1
getDeviceAlert
getAlerts
Retrieve the newest alert for the named device, including the malicious-IP flag, to decide whether a response is warranted.
2
getEvents
getAlertedEvents
Load the forensic events behind the malicious-IP alert to understand the operations performed from that address.
3
markInvestigating
updateAlertStatus
Transition the malicious-IP alert into Under Investigation status with a response note.

Source API Descriptions

openapi
datalertApi https://raw.githubusercontent.com/api-evangelist/varonis/refs/heads/main/openapi/varonis-datalert-openapi.yml

Arazzo Workflow Specification

varonis-device-malicious-ip-response-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Varonis Device Malicious IP Response
  summary: Pull a device's newest alert, and if it involves a malicious IP, fetch events and investigate.
  description: >-
    A device-scoped response workflow. It retrieves the newest alert for a named
    device and branches on whether the alert is associated with a known
    malicious IP address. When the IP is malicious it pulls the underlying
    events and moves the alert into Under Investigation; otherwise the flow ends.
    Each step inlines its request so the flow can be read and executed without
    opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: datalertApi
  url: ../openapi/varonis-datalert-openapi.yml
  type: openapi
workflows:
- workflowId: device-malicious-ip-response
  summary: Respond to a device alert only when it involves a known malicious IP.
  description: >-
    Retrieves the newest alert for a device, branches on the isMaliciousIP flag,
    and when malicious pulls events and transitions the alert into Under
    Investigation.
  inputs:
    type: object
    required:
    - apiKey
    - deviceName
    properties:
      apiKey:
        type: string
        description: Varonis DatAlert API key sent in the X-API-Key header.
      deviceName:
        type: string
        description: Name of the device to check for malicious-IP alerts.
      lastDays:
        type: integer
        description: How many days back to search for alerts.
        default: 14
      note:
        type: string
        description: Note recorded when the alert is moved into investigation.
        default: Device alert involves a known malicious IP; investigating.
  steps:
  - stepId: getDeviceAlert
    description: >-
      Retrieve the newest alert for the named device, including the
      malicious-IP flag, to decide whether a response is warranted.
    operationId: getAlerts
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        deviceName: $inputs.deviceName
        lastDays: $inputs.lastDays
        descendingOrder: true
        maxResults: 1
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      alertId: $response.body#/alerts/0/id
      isMaliciousIP: $response.body#/alerts/0/isMaliciousIP
      platform: $response.body#/alerts/0/platform
    onSuccess:
    - name: malicious
      type: goto
      stepId: getEvents
      criteria:
      - context: $response.body
        condition: $.alerts[0].isMaliciousIP == true
        type: jsonpath
    - name: notMalicious
      type: end
      criteria:
      - context: $response.body
        condition: $.alerts[0].isMaliciousIP == false
        type: jsonpath
  - stepId: getEvents
    description: >-
      Load the forensic events behind the malicious-IP alert to understand the
      operations performed from that address.
    operationId: getAlertedEvents
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getDeviceAlert.outputs.alertId
        lastDays: $inputs.lastDays
        descendingOrder: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      events: $response.body#/events
      eventCount: $response.body#/totalCount
  - stepId: markInvestigating
    description: >-
      Transition the malicious-IP alert into Under Investigation status with a
      response note.
    operationId: updateAlertStatus
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getDeviceAlert.outputs.alertId
        status: Under Investigation
        note: $inputs.note
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      statusUpdated: $response.body#/success
  outputs:
    alertId: $steps.getDeviceAlert.outputs.alertId
    platform: $steps.getDeviceAlert.outputs.platform
    eventCount: $steps.getEvents.outputs.eventCount
    statusUpdated: $steps.markInvestigating.outputs.statusUpdated