Varonis · Capability

Varonis Threat Detection and Response

Unified workflow capability for SOC analysts performing threat detection, alert triage, and incident response using the Varonis DatAlert API. Combines alert management, forensic event investigation, and threat model reference into a single AI-accessible interface.

Run with Naftiko VaronisData SecurityThreat DetectionIncident ResponseSecurity OperationsSOC

What You Can Do

POST
Get alerts — Retrieve security alerts with filtering by threat model, severity, status, and time range.
/v1/alerts
PUT
Update alert status — Update an alert status to Open or Under Investigation.
/v1/alerts/{alertId}/status
POST
Close alert — Close an alert with a specified resolution reason.
/v1/alerts/{alertId}/close
POST
Add alert note — Add an investigation note to an alert.
/v1/alerts/{alertId}/notes
GET
Get alerted events — Retrieve forensic events associated with an alert for investigation.
/v1/alerts/{alertId}/events
GET
Get threat models — List threat models configured in Varonis DatAlert.
/v1/threat-models

MCP Tools

get-alerts

Retrieve Varonis DatAlert security alerts with filtering by threat model, severity, status, and time range.

read-only
update-alert-status

Update the status of a Varonis DatAlert alert to Open or Under Investigation, with optional investigation note.

idempotent
close-alert

Close a Varonis DatAlert alert with a resolution reason such as Resolved, Legitimate activity, or Misconfiguration.

add-alert-note

Add an investigation note to a Varonis DatAlert alert to document findings and remediation steps.

get-alerted-events

Retrieve forensic events associated with a Varonis alert for threat hunting and incident investigation.

read-only
get-threat-models

List Varonis DatAlert threat model definitions including category, severity, and MITRE ATT&CK alignment.

read-only

APIs Used

varonis-datalert

Capability Spec

threat-detection-response.yaml Raw ↑ 
naftiko: "1.0.0-alpha1"

info:
  label: "Varonis Threat Detection and Response"
  description: "Unified workflow capability for SOC analysts performing threat detection, alert triage, and incident response using the Varonis DatAlert API. Combines alert management, forensic event investigation, and threat model reference into a single AI-accessible interface."
  tags:
    - Varonis
    - Data Security
    - Threat Detection
    - Incident Response
    - Security Operations
    - SOC
  created: "2026-05-03"
  modified: "2026-05-03"

binds:
  - namespace: env
    keys:
      VARONIS_API_KEY: VARONIS_API_KEY

capability:
  consumes:
    - import: varonis-datalert
      location: ./shared/datalert.yaml

  exposes:
    - type: rest
      port: 8080
      namespace: varonis-threat-response-api
      description: "Unified REST API for Varonis threat detection and incident response workflows."
      resources:
        - path: /v1/alerts
          name: alerts
          description: "Security alerts from Varonis DatAlert threat detection."
          operations:
            - method: POST
              name: get-alerts
              description: "Retrieve security alerts with filtering by threat model, severity, status, and time range."
              call: "varonis-datalert.get-alerts"
              with:
                maxResults: "rest.maxResults"
                offset: "rest.offset"
                alertStatus: "rest.alertStatus"
                alertSeverity: "rest.alertSeverity"
                lastDays: "rest.lastDays"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/alerts/{alertId}/status
          name: alert-status
          description: "Alert status management."
          operations:
            - method: PUT
              name: update-alert-status
              description: "Update an alert status to Open or Under Investigation."
              call: "varonis-datalert.update-alert-status"
              with:
                alertId: "rest.alertId"
                status: "rest.status"
                note: "rest.note"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/alerts/{alertId}/close
          name: alert-close
          description: "Close a security alert with resolution reason."
          operations:
            - method: POST
              name: close-alert
              description: "Close an alert with a specified resolution reason."
              call: "varonis-datalert.close-alert"
              with:
                alertId: "rest.alertId"
                closeReason: "rest.closeReason"
                note: "rest.note"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/alerts/{alertId}/notes
          name: alert-notes
          description: "Investigation notes on alerts."
          operations:
            - method: POST
              name: add-alert-note
              description: "Add an investigation note to an alert."
              call: "varonis-datalert.add-alert-note"
              with:
                alertId: "rest.alertId"
                note: "rest.note"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/alerts/{alertId}/events
          name: alert-events
          description: "Forensic events associated with a security alert."
          operations:
            - method: GET
              name: get-alerted-events
              description: "Retrieve forensic events associated with an alert for investigation."
              call: "varonis-datalert.get-alerted-events"
              with:
                alertId: "rest.alertId"
                lastDays: "rest.lastDays"
              outputParameters:
                - type: object
                  mapping: "$."

        - path: /v1/threat-models
          name: threat-models
          description: "Threat model definitions used to generate alerts."
          operations:
            - method: GET
              name: get-threat-models
              description: "List threat models configured in Varonis DatAlert."
              call: "varonis-datalert.get-threat-models"
              with:
                name: "rest.name"
              outputParameters:
                - type: object
                  mapping: "$."

    - type: mcp
      port: 9090
      namespace: varonis-threat-response-mcp
      transport: http
      description: "MCP server for AI-assisted Varonis threat detection and incident response workflows."
      tools:
        - name: get-alerts
          description: "Retrieve Varonis DatAlert security alerts with filtering by threat model, severity, status, and time range."
          hints:
            readOnly: true
            openWorld: false
          call: "varonis-datalert.get-alerts"
          with:
            maxResults: "tools.maxResults"
            offset: "tools.offset"
            alertStatus: "tools.alertStatus"
            alertSeverity: "tools.alertSeverity"
            lastDays: "tools.lastDays"
          outputParameters:
            - type: object
              mapping: "$."

        - name: update-alert-status
          description: "Update the status of a Varonis DatAlert alert to Open or Under Investigation, with optional investigation note."
          hints:
            readOnly: false
            idempotent: true
          call: "varonis-datalert.update-alert-status"
          with:
            alertId: "tools.alertId"
            status: "tools.status"
            note: "tools.note"
          outputParameters:
            - type: object
              mapping: "$."

        - name: close-alert
          description: "Close a Varonis DatAlert alert with a resolution reason such as Resolved, Legitimate activity, or Misconfiguration."
          hints:
            readOnly: false
            idempotent: false
          call: "varonis-datalert.close-alert"
          with:
            alertId: "tools.alertId"
            closeReason: "tools.closeReason"
            note: "tools.note"
          outputParameters:
            - type: object
              mapping: "$."

        - name: add-alert-note
          description: "Add an investigation note to a Varonis DatAlert alert to document findings and remediation steps."
          hints:
            readOnly: false
            idempotent: false
          call: "varonis-datalert.add-alert-note"
          with:
            alertId: "tools.alertId"
            note: "tools.note"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-alerted-events
          description: "Retrieve forensic events associated with a Varonis alert for threat hunting and incident investigation."
          hints:
            readOnly: true
            openWorld: true
          call: "varonis-datalert.get-alerted-events"
          with:
            alertId: "tools.alertId"
            lastDays: "tools.lastDays"
          outputParameters:
            - type: object
              mapping: "$."

        - name: get-threat-models
          description: "List Varonis DatAlert threat model definitions including category, severity, and MITRE ATT&CK alignment."
          hints:
            readOnly: true
            openWorld: false
          call: "varonis-datalert.get-threat-models"
          with:
            name: "tools.name"
          outputParameters:
            - type: object
              mapping: "$."