Update workflow

Update a workflow and create a new version

Path Parameters

• workflow_id string required

  Workflow identifier

Header Parameters

• SlashID-OrgID string required

  The organization ID

  Example: af5fbd30-7ce7-4548-8b30-4cd59cb2aba1

application/json

Request Body required

Workflow update request

• name string

  Possible values: non-empty and <= 255 characters

  New workflow name

• description string

  Possible values: <= 1000 characters

  New workflow description

• data_input_config object

  oneOf

  • MOD1
  • MOD2
  • MOD3
  • MOD4

  ---

  type string required

  Possible values: [detection]

  Data input type discriminator

  scim_filter string required

  Possible values: non-empty

  SCIM filter string to apply when querying detections. Examples:

  • severity eq "critical"
  • type eq "aws_identity_unused" and status eq "new"
  • entity_type eq "aws_iam_user"
  • severity eq "critical" or severity eq "high"

  limit integer

  Possible values: <= 10000

  Maximum number of detections to retrieve (0 for no limit)

  sorting object[]

  Sorting configuration for results

  field string required

  Field to sort by

  direction string required

  Possible values: [asc, desc]

  Default value: desc

  Sort direction

  type string required

  Possible values: [lifecycle]

  Data input type discriminator

  event_types string[] required

  Possible values: [created, deleted, suspended, modified, reactivated, role_changed, group_added, group_removed, risk_score_changed, inactive_threshold], >= 1

  Lifecycle events that trigger this workflow

  entity_types string[]

  Filter by entity types (e.g., aws_iam_user, entra_user). If empty, all entity types are matched.

  source_types string[]

  Filter by identity source types (e.g., aws_account, entra). If empty, all source types are matched.

  connection_ids string[]

  Filter by specific connection IDs. If empty, all connections are matched.

  min_risk_score integer

  Possible values: <= 100

  Only trigger for entities with risk score >= this value

  max_risk_score integer

  Possible values: <= 100

  Only trigger for entities with risk score <= this value

  include_relationships boolean

  Default value: false

  Fetch manager, groups, direct reports from Neo4j

  include_permissions boolean

  Default value: false

  Fetch permission assignments from Neo4j

  include_access_history boolean

  Default value: false

  Fetch recent access records from Neo4j

  relationship_depth integer

  Possible values: <= 3

  Default value: 1

  How deep to traverse relationships in Neo4j (default 1, max 3)

  scim_filter string

  Additional SCIM-style filter criteria for the entity

  type string required

  Possible values: [uar_finding]

  Data input type discriminator

  triggers string[]

  UarFindingV1 trigger reasons that fire this workflow (ANY match). Defaults to ["manual"] when empty.

  campaign_ids uuid[]

  Filter by specific campaign IDs. Empty matches all.

  campaign_template_ids uuid[]

  Filter by campaign template IDs. Empty matches all.

  campaign_types string[]

  Filter by campaign type (e.g. user, resource, non_human_identity). Empty matches all.

  classification_tags string[]

  Filter by classification tags on the finding. Empty matches all.

  outcomes string[]

  Filter by reviewer decision outcome (e.g. approve, revoke). Empty matches all.

  only_effective boolean

  Default value: false

  Match only when effective_outcome == outcome — the decision survived multi-tier escalation rather than being overridden.

  min_level integer

  Filter by decision level >= this value.

  only_high_privilege boolean

  Default value: false

  Restrict to findings flagged as high-privilege.

  user_source_types string[]

  Filter by user identity source type. Empty matches all.

  user_entity_types string[]

  Filter by user entity type. Empty matches all.

  asset_source_types string[]

  Filter by asset source type. Empty matches all.

  asset_entity_types string[]

  Filter by asset entity type. Empty matches all.

  granting_entity_types string[]

  Filter by granting entity type (e.g. role, group). Empty matches all.

  scim_filter string

  Optional SCIM-style filter over the flattened finding payload, applied after the structured filters above.

  type string required

  Possible values: [cypher_query]

  Data input type discriminator

  query string required

  Possible values: non-empty and <= 10000 characters

  Read-only Cypher query whose rows feed downstream workflow actions. Must contain MATCH and RETURN clauses. Write operations and the USE clause are rejected by the validator. Comments and strings are tokenized before validation, so a write keyword inside a string literal is allowed.

  parameters object

  Parameters bound into the query at execution time. Keys must match the $name placeholders in query. Values are passed verbatim to the Neo4j driver.

  max_rows integer

  Possible values: >= 1 and <= 10000

  Default value: 1000

  Maximum rows returned by a scheduled execution (NOT the preview). Capped server-side at 10000.

  timeout_seconds integer

  Possible values: >= 1 and <= 300

  Default value: 30

  Per-execution query timeout (NOT the preview). Capped server-side at 300.

  on_limit_exceeded string

  Possible values: [fail, truncate]

  Default value: fail

  Behavior when the query returns more than max_rows. fail aborts the execution with an error; truncate returns the first max_rows rows and marks the execution as truncated.

  primary_entity_column string

  Optional. Name of a query result column whose value is the primary entity ID for each row. When set, downstream remediation actions can target this entity. Must match one of the column aliases in the query's RETURN clause.

• actions object

  Updated actions configuration. Map of action ID to action configuration.

  discriminator

  Possible values: [remediation, ticket, data_sink, webhook, notification, condition]

  oneOf
• starting_actions string[]

  IDs of actions to execute first after data input completes. Enables tree-based execution where only these actions start initially, and child actions are triggered via the children field.

Responses

• 200
• 400
• 404

---

Workflow updated successfully

application/json

• Schema
• Example (from schema)

---

Schema

• meta object

  pagination object

  limit integer

  offset integer

  total_count int64

  cursor_pagination object

  limit integer

  cursor string

  total_count int64
• errors object[]

  httpcode integer

  message string
• result object

  kind string

  Possible values: [workflow, workflow_with_configuration]

  Discriminator for the GET /workflows/{id} response variant. workflow is returned when include_configuration=false; workflow_with_configuration when the latest version is bundled into the response. The enum lists both values intentionally so the schema composition WorkflowWithConfiguration = allOf [Workflow, WorkflowConfiguration] doesn't produce an unsatisfiable enum constraint; the discriminator on the endpoint's oneOf does the runtime dispatch. Required so the typescript-fetch generator emits switch-based dispatch (needed since openapi-generator-cli v7 — see PR #5928) instead of order-sensitive instanceOf checks that silently drop the configuration fields when both schemas overlap.

  id string

  Unique workflow identifier

  org_id string

  Organization ID

  name string

  Possible values: non-empty and <= 255 characters

  Workflow name

  description string

  Possible values: <= 1000 characters

  Workflow description

  status string

  Possible values: [draft, active, paused, deleted]

  Current state of a workflow

  created_by string

  User ID who created the workflow

  created_at date-time

  Workflow creation timestamp

  updated_by string

  User ID who last updated the workflow

  updated_at date-time

  Last update timestamp

  activated_at date-time

  When workflow was first activated

  paused_at date-time

  When workflow was paused

  last_executed_at date-time

  Last execution timestamp

  execution_count integer

  Total execution count

  success_count integer

  Successful execution count

  failure_count integer

  Failed execution count

  latest_configuration_id string

  ID of the latest configuration version

  latest_configuration_version integer

  Latest configuration version number

  workflow_id string

  Parent workflow ID

  version integer

  Possible values: >= 1

  Configuration version number

  data_input_config object

  oneOf

  • MOD1
  • MOD2
  • MOD3
  • MOD4

  ---

  type string

  Possible values: [detection]

  Data input type discriminator

  scim_filter string

  Possible values: non-empty

  SCIM filter string to apply when querying detections. Examples:

  • severity eq "critical"
  • type eq "aws_identity_unused" and status eq "new"
  • entity_type eq "aws_iam_user"
  • severity eq "critical" or severity eq "high"

  limit integer

  Possible values: <= 10000

  Maximum number of detections to retrieve (0 for no limit)

  sorting object[]

  Sorting configuration for results

  field string

  Field to sort by

  direction string

  Possible values: [asc, desc]

  Default value: desc

  Sort direction

  type string

  Possible values: [lifecycle]

  Data input type discriminator

  event_types string[]

  Possible values: [created, deleted, suspended, modified, reactivated, role_changed, group_added, group_removed, risk_score_changed, inactive_threshold], >= 1

  Lifecycle events that trigger this workflow

  entity_types string[]

  Filter by entity types (e.g., aws_iam_user, entra_user). If empty, all entity types are matched.

  source_types string[]

  Filter by identity source types (e.g., aws_account, entra). If empty, all source types are matched.

  connection_ids string[]

  Filter by specific connection IDs. If empty, all connections are matched.

  min_risk_score integer

  Possible values: <= 100

  Only trigger for entities with risk score >= this value

  max_risk_score integer

  Possible values: <= 100

  Only trigger for entities with risk score <= this value

  include_relationships boolean

  Default value: false

  Fetch manager, groups, direct reports from Neo4j

  include_permissions boolean

  Default value: false

  Fetch permission assignments from Neo4j

  include_access_history boolean

  Default value: false

  Fetch recent access records from Neo4j

  relationship_depth integer

  Possible values: <= 3

  Default value: 1

  How deep to traverse relationships in Neo4j (default 1, max 3)

  scim_filter string

  Additional SCIM-style filter criteria for the entity

  type string

  Possible values: [uar_finding]

  Data input type discriminator

  triggers string[]

  UarFindingV1 trigger reasons that fire this workflow (ANY match). Defaults to ["manual"] when empty.

  campaign_ids uuid[]

  Filter by specific campaign IDs. Empty matches all.

  campaign_template_ids uuid[]

  Filter by campaign template IDs. Empty matches all.

  campaign_types string[]

  Filter by campaign type (e.g. user, resource, non_human_identity). Empty matches all.

  classification_tags string[]

  Filter by classification tags on the finding. Empty matches all.

  outcomes string[]

  Filter by reviewer decision outcome (e.g. approve, revoke). Empty matches all.

  only_effective boolean

  Default value: false

  Match only when effective_outcome == outcome — the decision survived multi-tier escalation rather than being overridden.

  min_level integer

  Filter by decision level >= this value.

  only_high_privilege boolean

  Default value: false

  Restrict to findings flagged as high-privilege.

  user_source_types string[]

  Filter by user identity source type. Empty matches all.

  user_entity_types string[]

  Filter by user entity type. Empty matches all.

  asset_source_types string[]

  Filter by asset source type. Empty matches all.

  asset_entity_types string[]

  Filter by asset entity type. Empty matches all.

  granting_entity_types string[]

  Filter by granting entity type (e.g. role, group). Empty matches all.

  scim_filter string

  Optional SCIM-style filter over the flattened finding payload, applied after the structured filters above.

  type string

  Possible values: [cypher_query]

  Data input type discriminator

  query string

  Possible values: non-empty and <= 10000 characters

  Read-only Cypher query whose rows feed downstream workflow actions. Must contain MATCH and RETURN clauses. Write operations and the USE clause are rejected by the validator. Comments and strings are tokenized before validation, so a write keyword inside a string literal is allowed.

  parameters object

  Parameters bound into the query at execution time. Keys must match the $name placeholders in query. Values are passed verbatim to the Neo4j driver.

  max_rows integer

  Possible values: >= 1 and <= 10000

  Default value: 1000

  Maximum rows returned by a scheduled execution (NOT the preview). Capped server-side at 10000.

  timeout_seconds integer

  Possible values: >= 1 and <= 300

  Default value: 30

  Per-execution query timeout (NOT the preview). Capped server-side at 300.

  on_limit_exceeded string

  Possible values: [fail, truncate]

  Default value: fail

  Behavior when the query returns more than max_rows. fail aborts the execution with an error; truncate returns the first max_rows rows and marks the execution as truncated.

  primary_entity_column string

  Optional. Name of a query result column whose value is the primary entity ID for each row. When set, downstream remediation actions can target this entity. Must match one of the column aliases in the query's RETURN clause.

  actions object

  Actions configuration. Map of action ID to action configuration.

  discriminator

  Possible values: [remediation, ticket, data_sink, webhook, notification, condition]

  oneOf

  starting_actions string[]

  IDs of actions to execute first (after data input).

  schedule string

  Optional cron expression (5-field, UTC). When non-empty, the workflow is registered with the scheduler and fires on each tick (cron parser: github.com/hashicorp/cronexpr). Must be empty when data_input_config.type is lifecycle — lifecycle workflows are event-driven and cannot be scheduled.

  is_latest boolean

  Whether this is the latest version

{
  "meta": {
    "pagination": {
      "limit": 0,
      "offset": 0,
      "total_count": 0
    },
    "cursor_pagination": {
      "limit": 0,
      "cursor": "string",
      "total_count": 0
    }
  },
  "errors": [
    {
      "httpcode": 0,
      "message": "string"
    }
  ],
  "result": {
    "kind": "workflow",
    "id": "string",
    "org_id": "string",
    "name": "string",
    "description": "string",
    "status": "draft",
    "created_by": "string",
    "created_at": "2005-12-24T18:29:30.033157Z",
    "updated_by": "string",
    "updated_at": "2005-12-24T18:29:30.033157Z",
    "activated_at": "2005-12-24T18:29:30.033157Z",
    "paused_at": "2005-12-24T18:29:30.033157Z",
    "last_executed_at": "2005-12-24T18:29:30.033157Z",
    "execution_count": 0,
    "success_count": 0,
    "failure_count": 0,
    "latest_configuration_id": "string",
    "latest_configuration_version": 0,
    "workflow_id": "string",
    "version": 0,
    "data_input_config": {
      "type": "detection",
      "scim_filter": "string",
      "limit": 0,
      "sorting": [
        {
          "field": "string",
          "direction": "desc"
        }
      ]
    },
    "actions": {},
    "starting_actions": [
      "string"
    ],
    "schedule": "string",
    "is_latest": true
  }
}

Bad Request

application/json

• Schema
• Example (from schema)

---

Schema

• meta object

  pagination object

  limit integer

  offset integer

  total_count int64

  cursor_pagination object

  limit integer

  cursor string

  total_count int64
• errors object[]

  httpcode integer

  message string

{
  "meta": {
    "pagination": {
      "limit": 0,
      "offset": 0,
      "total_count": 0
    },
    "cursor_pagination": {
      "limit": 0,
      "cursor": "string",
      "total_count": 0
    }
  },
  "errors": [
    {
      "httpcode": 0,
      "message": "string"
    }
  ]
}

Not Found

application/json

• Schema
• Example (from schema)

---

Schema

• meta object

  pagination object

  limit integer

  offset integer

  total_count int64

  cursor_pagination object

  limit integer

  cursor string

  total_count int64
• errors object[]

  httpcode integer

  message string

{
  "meta": {
    "pagination": {
      "limit": 0,
      "offset": 0,
      "total_count": 0
    },
    "cursor_pagination": {
      "limit": 0,
      "cursor": "string",
      "total_count": 0
    }
  },
  "errors": [
    {
      "httpcode": 0,
      "message": "string"
    }
  ]
}