Varonis · Arazzo Workflow

Varonis Triage Newest Alert

Version 1.0.0

Pull the newest open alert, load its forensic events, and move it into investigation.

1 workflow 1 source API 1 provider
View Spec View on GitHub Cloud SecurityComplianceData AnalyticsData GovernanceData SecurityThreat DetectionArazzoWorkflows

Provider

varonis

Workflows

triage-newest-alert
Find the newest open alert, fetch its events, and mark it Under Investigation.
Searches DatAlert for open alerts in a recent window, takes the newest alert returned, retrieves its alerted events for forensic context, and updates the alert status to Under Investigation with a triage note.
3 steps inputs: apiKey, lastDays, maxResults, triageNote outputs: alertId, alertSeverity, eventCount, statusUpdated
1
getOpenAlerts
getAlerts
Retrieve open alerts from the recent window in descending time order so the newest open alert is first in the response.
2
getEvents
getAlertedEvents
Retrieve the forensic events behind the selected alert to understand the scope of the activity before investigating.
3
markInvestigating
updateAlertStatus
Transition the alert into Under Investigation status and record a triage note so the rest of the team can see it is being worked.

Source API Descriptions

openapi
datalertApi https://raw.githubusercontent.com/api-evangelist/varonis/refs/heads/main/openapi/varonis-datalert-openapi.yml

Arazzo Workflow Specification

varonis-triage-alert-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Varonis Triage Newest Alert
  summary: Pull the newest open alert, load its forensic events, and move it into investigation.
  description: >-
    A core DatAlert triage loop for a SOC analyst. The workflow retrieves the
    most recent open alerts for a user or device, selects the newest one, pulls
    the underlying forensic events that drove the detection, and then transitions
    the alert into the Under Investigation status so the rest of the team knows
    it is being worked. Every step inlines its request so the flow can be read
    and executed without opening the underlying OpenAPI description.
  version: 1.0.0
sourceDescriptions:
- name: datalertApi
  url: ../openapi/varonis-datalert-openapi.yml
  type: openapi
workflows:
- workflowId: triage-newest-alert
  summary: Find the newest open alert, fetch its events, and mark it Under Investigation.
  description: >-
    Searches DatAlert for open alerts in a recent window, takes the newest
    alert returned, retrieves its alerted events for forensic context, and
    updates the alert status to Under Investigation with a triage note.
  inputs:
    type: object
    required:
    - apiKey
    properties:
      apiKey:
        type: string
        description: Varonis DatAlert API key sent in the X-API-Key header.
      lastDays:
        type: integer
        description: How many days back to search for open alerts.
        default: 7
      maxResults:
        type: integer
        description: Maximum number of alerts to scan when selecting the newest.
        default: 50
      triageNote:
        type: string
        description: Note documenting why the alert is being investigated.
        default: Alert picked up for triage by automated workflow.
  steps:
  - stepId: getOpenAlerts
    description: >-
      Retrieve open alerts from the recent window in descending time order so
      the newest open alert is first in the response.
    operationId: getAlerts
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertStatus:
        - Open
        lastDays: $inputs.lastDays
        descendingOrder: true
        maxResults: $inputs.maxResults
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      alertId: $response.body#/alerts/0/id
      alertSeverity: $response.body#/alerts/0/severity
      totalCount: $response.body#/totalCount
    onSuccess:
    - name: haveAlert
      type: goto
      stepId: getEvents
      criteria:
      - context: $response.body
        condition: $.alerts.length > 0
        type: jsonpath
    - name: noAlerts
      type: end
      criteria:
      - context: $response.body
        condition: $.alerts.length == 0
        type: jsonpath
  - stepId: getEvents
    description: >-
      Retrieve the forensic events behind the selected alert to understand the
      scope of the activity before investigating.
    operationId: getAlertedEvents
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getOpenAlerts.outputs.alertId
        descendingOrder: true
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      events: $response.body#/events
      eventCount: $response.body#/totalCount
  - stepId: markInvestigating
    description: >-
      Transition the alert into Under Investigation status and record a triage
      note so the rest of the team can see it is being worked.
    operationId: updateAlertStatus
    parameters:
    - name: X-API-Key
      in: header
      value: $inputs.apiKey
    requestBody:
      contentType: application/json
      payload:
        alertId: $steps.getOpenAlerts.outputs.alertId
        status: Under Investigation
        note: $inputs.triageNote
    successCriteria:
    - condition: $statusCode == 200
    outputs:
      success: $response.body#/success
      message: $response.body#/message
  outputs:
    alertId: $steps.getOpenAlerts.outputs.alertId
    alertSeverity: $steps.getOpenAlerts.outputs.alertSeverity
    eventCount: $steps.getEvents.outputs.eventCount
    statusUpdated: $steps.markInvestigating.outputs.success