Varonis · Arazzo Workflow

Varonis Threat Model Hunt

Version 1.0.0

Resolve a threat model by name, pull its recent alerts, and load the newest alert's events.

1 workflow 1 source API 1 provider
View Spec View on GitHub Cloud SecurityComplianceData AnalyticsData GovernanceData SecurityThreat DetectionArazzoWorkflows

Provider

varonis

Workflows

threat-model-hunt
Pivot from a threat model name to its recent alerts and forensic events.
Looks up a threat model by name, retrieves recent alerts attributed to that model name, and loads the events behind the newest matching alert for forensic review.
3 steps inputs: apiKey, lastDays, maxResults, threatModelName outputs: alertTotalCount, eventCount, modelId, modelSeverity, newestAlertId
1
resolveThreatModel
getThreatModels
Resolve the threat model definition by name to confirm it exists and to capture its category and severity before hunting on its alerts.
2
getModelAlerts
getAlerts
Retrieve recent alerts generated by the resolved threat model name in descending time order.
3
getNewestAlertEvents
getAlertedEvents
Load the forensic events behind the newest alert produced by the threat model to understand the detected activity.

Source API Descriptions

openapi
datalertApi https://raw.githubusercontent.com/api-evangelist/varonis/refs/heads/main/openapi/varonis-datalert-openapi.yml

Arazzo Workflow Specification

varonis-threat-model-hunt-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Varonis Threat Model Hunt
  summary: Resolve a threat model by name, pull its recent alerts, and load the newest alert's events.
  description: >-
    A threat-hunting workflow that pivots from a threat model definition to the
    activity it has detected. It resolves the threat model by name (with
    wildcard support), retrieves recent alerts generated by that model, and then
    drills into the events behind the newest matching alert. Each step inlines
    its request so the flow can be read and executed without opening the
    underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: datalertApi
  url: ../openapi/varonis-datalert-openapi.yml
  type: openapi
workflows:
- workflowId: threat-model-hunt
  summary: Pivot from a threat model name to its recent alerts and forensic events.
  description: >-
    Looks up a threat model by name, retrieves recent alerts attributed to that
    model name, and loads the events behind the newest matching alert for
    forensic review.
  inputs:
    type: object
    required:
    - apiKey
    - threatModelName
    properties:
      apiKey:
        type: string
        description: Varonis DatAlert API key sent in the X-API-Key header.
      threatModelName:
        type: string
        description: >-
          Threat model name to hunt on. Supports pipe-separated values and
          wildcard characters for pattern matching.
      lastDays:
        type: integer
        description: How many days back to search for alerts.
        default: 30
      maxResults:
        type: integer
        description: Maximum number of alerts to retrieve.
        default: 100
  steps:
  - stepId: resolveThreatModel
    description: >-
      Resolve the threat model definition by name to confirm it exists and to
      capture its category and severity before hunting on its alerts.
    operationId: getThreatModels
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    - name: name
      in: query
      value: $inputs.threatModelName
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      modelId: $response.body#/threatModels/0/id
      modelName: $response.body#/threatModels/0/name
      modelSeverity: $response.body#/threatModels/0/severity
    onSuccess:
    - name: modelFound
      type: goto
      stepId: getModelAlerts
      criteria:
      - context: $response.body
        condition: $.threatModels.length > 0
        type: jsonpath
    - name: modelMissing
      type: end
      criteria:
      - context: $response.body
        condition: $.threatModels.length == 0
        type: jsonpath
  - stepId: getModelAlerts
    description: >-
      Retrieve recent alerts generated by the resolved threat model name in
      descending time order.
    operationId: getAlerts
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        threatModelName:
        - $steps.resolveThreatModel.outputs.modelName
        lastDays: $inputs.lastDays
        descendingOrder: true
        maxResults: $inputs.maxResults
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      newestAlertId: $response.body#/alerts/0/id
      totalCount: $response.body#/totalCount
    onSuccess:
    - name: haveAlerts
      type: goto
      stepId: getNewestAlertEvents
      criteria:
      - context: $response.body
        condition: $.alerts.length > 0
        type: jsonpath
    - name: noAlerts
      type: end
      criteria:
      - context: $response.body
        condition: $.alerts.length == 0
        type: jsonpath
  - stepId: getNewestAlertEvents
    description: >-
      Load the forensic events behind the newest alert produced by the threat
      model to understand the detected activity.
    operationId: getAlertedEvents
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getModelAlerts.outputs.newestAlertId
        lastDays: $inputs.lastDays
        descendingOrder: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      events: $response.body#/events
      eventCount: $response.body#/totalCount
  outputs:
    modelId: $steps.resolveThreatModel.outputs.modelId
    modelSeverity: $steps.resolveThreatModel.outputs.modelSeverity
    alertTotalCount: $steps.getModelAlerts.outputs.totalCount
    newestAlertId: $steps.getModelAlerts.outputs.newestAlertId
    eventCount: $steps.getNewestAlertEvents.outputs.eventCount