Get specific workflow version

id string

Unique configuration identifier

workflow_id string

Parent workflow ID

org_id string

Organization ID

version integer

Possible values: >= 1

Configuration version number

data_input_config object

oneOf

MOD1
MOD2
MOD3
MOD4

type string

Possible values: [detection]

Data input type discriminator

scim_filter string

Possible values: non-empty

SCIM filter string to apply when querying detections. Examples:

severity eq "critical"
type eq "aws_identity_unused" and status eq "new"
entity_type eq "aws_iam_user"
severity eq "critical" or severity eq "high"

limit integer

Possible values: <= 10000

Maximum number of detections to retrieve (0 for no limit)

sorting object[]

Sorting configuration for results

field string

Field to sort by

direction string

Possible values: [asc, desc]

Default value: desc

Sort direction

type string

Possible values: [lifecycle]

Data input type discriminator

event_types string[]

Possible values: [created, deleted, suspended, modified, reactivated, role_changed, group_added, group_removed, risk_score_changed, inactive_threshold], >= 1

Lifecycle events that trigger this workflow

entity_types string[]

Filter by entity types (e.g., aws_iam_user, entra_user). If empty, all entity types are matched.

source_types string[]

Filter by identity source types (e.g., aws_account, entra). If empty, all source types are matched.

connection_ids string[]

Filter by specific connection IDs. If empty, all connections are matched.

min_risk_score integer

Possible values: <= 100

Only trigger for entities with risk score >= this value

max_risk_score integer

Possible values: <= 100

Only trigger for entities with risk score <= this value

include_relationships boolean

Default value: false

Fetch manager, groups, direct reports from Neo4j

include_permissions boolean

Default value: false

Fetch permission assignments from Neo4j

include_access_history boolean

Default value: false

Fetch recent access records from Neo4j

relationship_depth integer

Possible values: <= 3

Default value: 1

How deep to traverse relationships in Neo4j (default 1, max 3)

scim_filter string

Additional SCIM-style filter criteria for the entity

type string

Possible values: [uar_finding]

Data input type discriminator

triggers string[]

UarFindingV1 trigger reasons that fire this workflow (ANY match). Defaults to ["manual"] when empty.

campaign_ids uuid[]

Filter by specific campaign IDs. Empty matches all.

campaign_template_ids uuid[]

Filter by campaign template IDs. Empty matches all.

campaign_types string[]

Filter by campaign type (e.g. user, resource, non_human_identity). Empty matches all.

classification_tags string[]

Filter by classification tags on the finding. Empty matches all.

outcomes string[]

Filter by reviewer decision outcome (e.g. approve, revoke). Empty matches all.

only_effective boolean

Default value: false

Match only when effective_outcome == outcome — the decision survived multi-tier escalation rather than being overridden.

min_level integer

Filter by decision level >= this value.

only_high_privilege boolean

Default value: false

Restrict to findings flagged as high-privilege.

user_source_types string[]

Filter by user identity source type. Empty matches all.

user_entity_types string[]

Filter by user entity type. Empty matches all.

asset_source_types string[]

Filter by asset source type. Empty matches all.

asset_entity_types string[]

Filter by asset entity type. Empty matches all.

granting_entity_types string[]

Filter by granting entity type (e.g. role, group). Empty matches all.

scim_filter string

Optional SCIM-style filter over the flattened finding payload, applied after the structured filters above.

type string

Possible values: [cypher_query]

Data input type discriminator

query string

Possible values: non-empty and <= 10000 characters

Read-only Cypher query whose rows feed downstream workflow actions. Must contain MATCH and RETURN clauses. Write operations and the USE clause are rejected by the validator. Comments and strings are tokenized before validation, so a write keyword inside a string literal is allowed.

parameters object

Parameters bound into the query at execution time. Keys must match the $name placeholders in query. Values are passed verbatim to the Neo4j driver.

max_rows integer

Possible values: >= 1 and <= 10000

Default value: 1000

Maximum rows returned by a scheduled execution (NOT the preview). Capped server-side at 10000.

timeout_seconds integer

Possible values: >= 1 and <= 300

Default value: 30

Per-execution query timeout (NOT the preview). Capped server-side at 300.

on_limit_exceeded string

Possible values: [fail, truncate]

Default value: fail

Behavior when the query returns more than max_rows. fail aborts the execution with an error; truncate returns the first max_rows rows and marks the execution as truncated.

primary_entity_column string

Optional. Name of a query result column whose value is the primary entity ID for each row. When set, downstream remediation actions can target this entity. Must match one of the column aliases in the query's RETURN clause.

actions object

Actions configuration. Map of action ID to action configuration.

discriminator

Possible values: [remediation, ticket, data_sink, webhook, notification, condition]

oneOf

starting_actions string[]

IDs of actions to execute first (after data input).

schedule string

Optional cron expression (5-field, UTC). When non-empty, the workflow is registered with the scheduler and fires on each tick (cron parser: github.com/hashicorp/cronexpr). Must be empty when data_input_config.type is lifecycle — lifecycle workflows are event-driven and cannot be scheduled.

created_by string

User ID who created this version

created_at date-time

Version creation timestamp

is_latest boolean

Whether this is the latest version

Get specific workflow version​