Varonis · Arazzo Workflow

Varonis High-Severity Model Coverage

Version 1.0.0

List threat models, pull alerts for one model, and annotate its newest alert.

1 workflow 1 source API 1 provider
View Spec View on GitHub Cloud SecurityComplianceData AnalyticsData GovernanceData SecurityThreat DetectionArazzoWorkflows

Provider

varonis

Workflows

high-severity-model-coverage
Audit a threat model's alert coverage and annotate its newest alert.
Lists threat models matching a name filter, retrieves alerts for the first matching model, and records a coverage note on the newest alert.
3 steps inputs: apiKey, lastDays, nameFilter, note outputs: alertTotalCount, modelName, modelSeverity, noteAdded
1
listModels
getThreatModels
List the threat models matching the name filter to identify which model to audit coverage for.
2
getModelAlerts
getAlerts
Retrieve alerts generated by the first matching threat model to confirm it is producing detections.
3
annotateNewest
addAlertNote
Add a coverage note to the newest alert produced by the audited threat model.

Source API Descriptions

openapi
datalertApi https://raw.githubusercontent.com/api-evangelist/varonis/refs/heads/main/openapi/varonis-datalert-openapi.yml

Arazzo Workflow Specification

varonis-high-severity-model-coverage-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Varonis High-Severity Model Coverage
  summary: List threat models, pull alerts for one model, and annotate its newest alert.
  description: >-
    A coverage-audit workflow that connects threat model definitions to the
    alerts they produce. It lists the configured threat models matching a name
    filter, retrieves the alerts generated by the first matching model, and adds
    a coverage note to the newest alert so the audit is documented against real
    activity. Each step inlines its request so the flow can be read and executed
    without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: datalertApi
  url: ../openapi/varonis-datalert-openapi.yml
  type: openapi
workflows:
- workflowId: high-severity-model-coverage
  summary: Audit a threat model's alert coverage and annotate its newest alert.
  description: >-
    Lists threat models matching a name filter, retrieves alerts for the first
    matching model, and records a coverage note on the newest alert.
  inputs:
    type: object
    required:
    - apiKey
    - nameFilter
    properties:
      apiKey:
        type: string
        description: Varonis DatAlert API key sent in the X-API-Key header.
      nameFilter:
        type: string
        description: >-
          Threat model name filter. Supports pipe-separated values and wildcard
          characters for pattern matching.
      lastDays:
        type: integer
        description: How many days back to search for alerts.
        default: 30
      note:
        type: string
        description: Coverage note recorded against the newest alert.
        default: Coverage audit confirmed this threat model is generating alerts.
  steps:
  - stepId: listModels
    description: >-
      List the threat models matching the name filter to identify which model
      to audit coverage for.
    operationId: getThreatModels
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    - name: name
      in: query
      value: $inputs.nameFilter
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      modelName: $response.body#/threatModels/0/name
      modelSeverity: $response.body#/threatModels/0/severity
    onSuccess:
    - name: haveModel
      type: goto
      stepId: getModelAlerts
      criteria:
      - context: $response.body
        condition: $.threatModels.length > 0
        type: jsonpath
    - name: noModel
      type: end
      criteria:
      - context: $response.body
        condition: $.threatModels.length == 0
        type: jsonpath
  - stepId: getModelAlerts
    description: >-
      Retrieve alerts generated by the first matching threat model to confirm
      it is producing detections.
    operationId: getAlerts
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        threatModelName:
        - $steps.listModels.outputs.modelName
        lastDays: $inputs.lastDays
        descendingOrder: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      newestAlertId: $response.body#/alerts/0/id
      totalCount: $response.body#/totalCount
    onSuccess:
    - name: haveAlerts
      type: goto
      stepId: annotateNewest
      criteria:
      - context: $response.body
        condition: $.alerts.length > 0
        type: jsonpath
    - name: noAlerts
      type: end
      criteria:
      - context: $response.body
        condition: $.alerts.length == 0
        type: jsonpath
  - stepId: annotateNewest
    description: >-
      Add a coverage note to the newest alert produced by the audited threat
      model.
    operationId: addAlertNote
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getModelAlerts.outputs.newestAlertId
        note: $inputs.note
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      noteAdded: $response.body#/success
  outputs:
    modelName: $steps.listModels.outputs.modelName
    modelSeverity: $steps.listModels.outputs.modelSeverity
    alertTotalCount: $steps.getModelAlerts.outputs.totalCount
    noteAdded: $steps.annotateNewest.outputs.noteAdded