Workflow triggers
  • 21 Mar 2024
  • 19 Minutes to read
  • Dark
    Light

Workflow triggers

  • Dark
    Light

Article Summary

Use key events from the case lifecycle to trigger automation workflows. For example, create a workflow triggered when an observable is added to a case and automatically enriches it.

Below is a list of the events that can be used as workflow triggers. You can add trigger conditions to limit the scenarios in which workflows using these triggers will execute. Examples of use cases and trigger conditions are available for each event, as well as an example of the trigger event.

Note
Use the Custom trigger scenario to trigger a workflow when there are case updates that don't fall under the scope of other triggers. 

Create a workflow with a Torq Cases trigger

New case created

Use the New case created scenario to trigger a workflow when any case is created.

Trigger condition example

You can add a condition for the workflow to execute only for a specific category of cases.

case created trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "***.***@***.***",
      "category": "Identity & Access Management",
      "createdTime": "2023-04-21T17:30:11.889956Z",
      "description": "case description",
      "id": 3,
      "prettyId": "#3",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-21T17:30:11.889956Z"
      },
      "state": {
        "id": 1,
        "value": "STATE_ID_NEW"
      },
      "title": "Demo",
      "updatedTime": null
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenarioId": "CASE_CREATED",
  "timestamp": "2023-04-21T17:30:13.191079973Z",
  "triggeredBy": {
    "user": {
      "email": "***.***@***.***"
    }
  }
}

Use case example

When a case is created, you can run additional checks on its properties. For example, if the case was created due to a user's suspicious activity, you may want to check whether it's a power user with elevated privileges (VIP). If so, the incident should be prioritized, and you may wish to notify additional stakeholders.

  1. Use the New case created trigger and add a trigger condition for the workflow to execute only when the case category is Identity & Access Management (more on case categories).
  2.  Check whether the user is a power user (VIP) by checking group memberships in your organization's identity and access management service, for example, Okta.
  3. If the user is a power user (VIP), raise the case severity to be critical, add a comment with the findings, and change the case state to in progress.
    case created trigger use case

Note updated

Use the Note updated scenario to trigger a workflow each time a note is added, updated, or deleted in a case.

Trigger condition example

You can add a condition for the workflow to execute only when the note is updated by a user.

Note updated trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "notes": {
    "current": {
      "case_id": 1970,
      "content": "<p>The note content.</p>",
      "created_at": "2024-01-10T14:54:26.297023Z",
      "created_by": {
        "kind": "USER",
        "user": {
          "email": "***@***.io"
        }
      },
      "id": "8d509422-ae66-****-bd17-e04dfad43a65",
      "title": "New note",
      "updated_at": null,
      "updated_by": null
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenario_id": "NOTE_UPDATED",
  "timestamp": "2024-01-10T14:54:26.326555964Z",
  "triggered_by": {
    "kind": "USER",
    "user": {
      "email": "***@***.io"
    }
  }
}

Use case example

When a note is created, updated, or deleted, you may want to execute a workflow that informs the case assignee.

  1. Use the Note updated trigger scenario. Add trigger conditions as required.
  2. Use the Get case details step to retrieve additional information about the case.
  3. Add a condition to check whether the case assignee updated the note. If not, send a Slack message to the case assignee to inform them of the update.

Note updated trigger use case

Assigned to a teammate

Use the Assigned to a teammate scenario to trigger a workflow whenever a case is assigned.

Trigger condition example

You can add a condition for the workflow to execute only if a team member assigned a case to someone other than themselves.

Case assigned trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "***.***@***.***",
      "category": "Identity & Access Management",
      "createdTime": "2023-04-22T08:29:54.091605Z",
      "description": "",
      "id": 4,
      "prettyId": "#4",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-22T08:29:54.091605Z"
      },
      "state": {
        "id": 2,
        "value": "STATE_ID_IN_PROGRESS"
      },
      "title": "test case",
      "updatedTime": "2023-04-22T08:30:36.619305Z"
    },
    "previous": {
      "assignee": "***.***@***.***",
      "category": "Identity & Access Management",
      "createdTime": "2023-04-22T08:29:54.091605Z",
      "description": "",
      "id": 4,
      "prettyId": "#4",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-22T08:29:54.091605Z"
      },
      "state": {
        "id": 2,
        "value": "STATE_ID_IN_PROGRESS"
      },
      "title": "test case",
      "updatedTime": "2023-04-22T08:30:20.119589Z"
    }
  },
  "operation": "UPDATE",
  "scenarioId": "CASE_ASSIGNEE_UPDATED",
  "timestamp": "2023-04-22T08:30:36.638093212Z",
  "triggeredBy": {
    "user": {
      "email": "***.***@***.***"
    }
  }
}

Use case example

When a case is assigned, you may want to execute a workflow that informs the assignee and asks them to confirm that they will handle it.

  1. Use the Assigned to a teammate trigger and add a trigger condition for the workflow to execute only when a user didn't assign a case to themselves.
  2. The assignee is requested to confirm the case assignment.
  3. If the confirmation request times out, the case is assigned to the team lead to make sure the case is being handled properly.
    case assigned trigger use case

Severity changed

Use the Severity changed scenario to trigger a workflow whenever there's a modification in the case severity.

Trigger condition example

You can add a condition for the workflow to execute only when the severity rises.

case severity changed trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "",
      "category": "",
      "createdTime": "2023-04-16T07:43:02.097970Z",
      "description": "",
      "id": 2,
      "prettyId": "#2",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 5,
        "value": "SEVERITY_ID_CRITICAL"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-16T07:43:02.097970Z"
      },
      "state": {
        "id": 1,
        "value": "STATE_ID_NEW"
      },
      "title": "test case 2",
      "updatedTime": "2023-04-18T09:06:50.643336Z"
    },
    "previous": {
      "assignee": "",
      "category": "",
      "createdTime": "2023-04-16T07:43:02.097970Z",
      "description": "",
      "id": 2,
      "prettyId": "#2",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-16T07:43:02.097970Z"
      },
      "state": {
        "id": 1,
        "value": "STATE_ID_NEW"
      },
      "title": "test case 2",
      "updatedTime": "2023-04-18T09:06:45.912276Z"
    }
  },
  "operation": "UPDATE",
  "scenarioId": "CASE_SEVERITY_UPDATED",
  "timestamp": "2023-04-18T09:06:50.695505597Z",
  "triggeredBy": {
    "user": {
      "email": "***.***@***.***"
    }
  }
}

Use case example

When the severity of a case is updated to critical, you can notify one of the on-call engineers for immediate action.

  1. Use the Severity changed trigger and add a trigger condition for the workflow to execute only when the case severity is updated to critical.
  2. Loop over the list of on-call engineers and ask them to review the case and take immediate action if required.
  3. Assign the case to the first on-call engineer that confirms they are available to review it.
    case severity changed trigger use case

Observable added

Use the Observable added scenario to trigger a workflow whenever an observable is added to a case.

Trigger condition example

You can add a condition for the workflow to execute only for observables that are IP addresses.

Added an Observable trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "associatedObservable": {
    "current": {
      "caseId": 3,
      "isPinned": false,
      "observable": {
        "description": "",
        "firstObserved": "2023-04-21T18:20:06.643786Z",
        "id": 5,
        "lastObserved": "2023-04-21T18:20:06.643786Z",
        "reputation": 2,
        "value": {
          "ip": "9.9.9.9"
        }
      },
      "witnessedAt": "2023-04-21T18:20:06.643786Z"
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenarioId": "ASSOCIATED_OBSERVABLE_CREATED",
  "timestamp": "2023-04-21T18:20:06.672584658Z",
  "triggeredBy": {
    "user": {
      "email": "***.***@***.***"
    }
  }
}

Use case example

When an observable is added to a case, the generated event can automatically trigger a workflow that will enrich it.

  1. Use the Observable added trigger and add a trigger condition for the workflow to execute only when the observable is an IP address.
  2. Enrich the observable with multiple services simultaneously.
  3. Normalize the observable score and use it as the verdict. For example, the score can represent the count of services flagging the observable as malicious. If the observable verdict is malicious, you may want to consider raising the case severity.
    Added an Observable trigger use case

Observable updated

Use the Observable updated scenario to trigger a workflow for every update of an observable, regardless of whether it's associated with any cases. 

Trigger condition example

You can add a condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.

Observable updated trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "observables": {
    "current": {
      "description": "",
      "first_observed_at": "2023-07-03T09:54:25.904609Z",
      "id": 10,
      "last_observed_at": "2023-07-03T09:58:07.170794Z",
      "reputation": {
        "id": 5,
        "name": "MAY_NOT_BE_SAFE"
      },
      "type": {
        "id": 2,
        "name": "IP_ADDRESS"
      },
      "value": {
        "ip": "13.13.13.13"
      },
      "workspace_id": ""
    },
    "previous": {
      "description": "",
      "first_observed_at": "2023-07-03T09:54:25.904609Z",
      "id": 10,
      "last_observed_at": "2023-07-03T09:58:07.170794Z",
      "reputation": {
        "id": 1,
        "name": "VERY_SAFE"
      },
      "type": {
        "id": 2,
        "name": "IP_ADDRESS"
      },
      "value": {
        "ip": "13.13.13.13"
      },
      "workspace_id": ""
    }
  },
  "operation": "UPDATE",
  "scenario_id": "OBSERVABLE_UPDATED",
  "timestamp": "2023-07-03T10:18:11.509992672Z",
  "triggered_by": {
    "kind": "USER",
    "user": {
      "email": "***@***.io"
    }
  }
}

Use case example

When the reputation of an observable is updated to indicate that it may not be safe (or that it is unsafe), you can use the generated event to trigger a workflow that will update the timelines and the assignees of all the cases the observable is associated with.

  1. Use the Observable updated trigger and add a trigger condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.
  2. Retrieve all cases the observable is associated with.
  3. Loop over the retrieved cases, add a comment to the timeline of each case, and send a message to the case assignee.

Observable updated trigger use case

State changed

Use the State changed scenario to trigger a workflow for every case transition from state to state.

Trigger condition example

You can add a condition for the workflow to execute only when the case transitions to a specific state.

case state changed trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "***.***@***.***",
      "category": "Identity & Access Management",
      "createdTime": "2023-04-21T17:30:11.889956Z",
      "description": "case description",
      "id": 3,
      "prettyId": "#3",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-21T17:30:11.889956Z"
      },
      "state": {
        "id": 3,
        "value": "STATE_ID_ON_HOLD"
      },
      "title": "Demo",
      "updatedTime": "2023-04-21T17:31:28.513722Z"
    },
    "previous": {
      "assignee": "***.***@***.***",
      "category": "Identity & Access Management",
      "createdTime": "2023-04-21T17:30:11.889956Z",
      "description": "case description",
      "id": 3,
      "prettyId": "#3",
      "reporter": {
        "user": {
          "email": "***.***@***.***"
        }
      },
      "severity": {
        "id": 2,
        "value": "SEVERITY_ID_LOW"
      },
      "sla": {
        "due": "86400s",
        "endedTime": null,
        "startedTime": "2023-04-21T17:30:11.889956Z"
      },
      "state": {
        "id": 2,
        "value": "STATE_ID_IN_PROGRESS"
      },
      "title": "Demo",
      "updatedTime": "2023-04-21T17:30:25.398745Z"
    }
  },
  "operation": "UPDATE",
  "scenarioId": "CASE_STATE_UPDATED",
  "timestamp": "2023-04-21T17:31:28.543872751Z",
  "triggeredBy": {
    "user": {
      "email": "***.***@***.***"
    }
  }
}

Use case example

When the case state changes from new to in progress, you can use the generated event to trigger a workflow that will assign the case to a team member.

  1. Use the State changed trigger and add a trigger condition for the workflow to execute only when the case transitions from the new state to in progress.
  2. Randomly select a team member to assign the case and notify them via Slack.
    case state changed trigger use case

Attachment Added

Use the Attachment Added scenario to trigger a workflow whenever an attachment is added to a case.

Trigger condition example

You can add a condition for the workflow to execute only if the attachment is an image.

Attachment added trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "attachments": {
    "current": {
      "caseId": 3,
      "createdAt": "2023-05-07T10:28:33.421020Z",
      "fileName": "200-0-4.jpeg",
      "id": "ed2d9ce4-b603-4e80-93a2-c0960ca27123",
      "mimeType": "image/jpeg",
      "relativePath": "0ba55c55-d47e-4f07-9f10-15f47c1ae129/cases/3:200-0-4.jpe",
      "size": 24971
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenarioId": "ATTACHMENT_CREATED",
  "timestamp": "2023-05-07T10:28:33.440336411Z",
  "triggeredBy": {
    "kind": "USER",
    "user": {
      "email": "***@***.***"
    }
  }
}

Use case example

When an attachment is added to a case, you can use the generated event to trigger a workflow to check whether the case assignee needs to be notified.

  1. Use the Attachment Added trigger. Add trigger conditions as necessary. 
  2. Retrieve the case information to check whether the user who added the attachment is the case assignee.
  3. If not, notify the case assignee of the new attachment. You may also want to send them a link they can use to download the attachment. 

Attachment added trigger use case

Category changed

Use the Category changed scenario to trigger a workflow when the category of a case is set or updated.

Trigger condition example

You can add a condition for the workflow to execute only when the case category is changed to a specific value. You can create different workflows to handle different case categories.

Category changed trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "",
      "category": "Malware",
      "created_at": "2023-11-23T08:30:52.608856Z",
      "description": "",
      "id": 1492,
      "pretty_id": "#1492",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-11-23T08:30:52.608856Z",
        "value": "28800"
      },
      "state": {
        "id": 1,
        "type": 1,
        "value": "NEW"
      },
      "tags": [],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": "2023-11-23T08:30:54.740722Z",
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    },
    "previous": {
      "assignee": "",
      "category": "",
      "created_at": "2023-11-23T08:30:52.608856Z",
      "description": "",
      "id": 1492,
      "pretty_id": "#1492",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-11-23T08:30:52.608856Z",
        "value": "28800"
      },
      "state": {
        "id": 1,
        "type": 1,
        "value": "NEW"
      },
      "tags": [],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": null,
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    }
  },
  "operation": "UPDATE",
  "scenario_id": "CASE_CATEGORY_UPDATED",
  "timestamp": "2023-11-23T08:30:54.797214680Z",
  "triggered_by": {
    "kind": "WORKFLOW",
    "workflow": {
      "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
      "id": "1da523e5-0b8d-****-adb4-868f40677b50"
    }
  }
}

Use case example

When the case category is updated, you can use the generated event to trigger a workflow that will add category-specific custom fields to the case. This example is based on a template.

  1. Use the Category changed trigger. Trigger conditions aren't required.
  2. List the current custom fields of the case and compare them with the custom fields the case should have based on its category.
  3. Loop over the missing custom fields and add them.

Category changed trigger use case

Comment added

Use the Comment added scenario to trigger a workflow whenever a comment is added to a case timeline.

Trigger condition example

You can add a condition for the workflow to execute only if the comment was added automatically during workflow execution.

Comment added trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "comments": {
    "current": {
      "case_id": 71,
      "content": "comment",
      "id": "9a1d7276-44cd-4701-****-6c4ac020d440"
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenario_id": "COMMENT_CREATED",
  "timestamp": "2023-07-03T11:21:16.739582950Z",
  "triggered_by": {
    "kind": "USER",
    "user": {
      "email": "***@***.io"
    }
  }
}

Use case example

When a comment is added to a case, you can use the generated event to trigger a workflow that will notify the assignee.

  1. Use the Comment Added trigger. Add trigger conditions as necessary. 
  2. Retrieve the case information to check whether the case was assigned.
  3. If applicable, notify the case assignee of the new comment.

Comment added trigger use case

Custom

Use the Custom trigger scenario to trigger a workflow upon case updates to which the rest of the triggers don't apply.

Trigger condition example

You can set a condition for the workflow to execute only when the case description has been updated by a workflow and was initially empty.

Custom trigger conditions

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "",
      "category": "Malware",
      "created_at": "2023-11-23T08:30:52.608856Z",
      "description": "A user's computer was found infected with a Trojan horse malware variant. The malware is capable of stealing sensitive information and executing unauthorized commands.",
      "id": 1492,
      "pretty_id": "#1492",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-11-23T08:30:52.608856Z",
        "value": "28800"
      },
      "state": {
        "id": 1,
        "type": 1,
        "value": "NEW"
      },
      "tags": [],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": "2023-11-23T08:30:58.136911Z",
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    },
    "previous": {
      "assignee": "",
      "category": "Malware",
      "created_at": "2023-11-23T08:30:52.608856Z",
      "description": "",
      "id": 1492,
      "pretty_id": "#1492",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-11-23T08:30:52.608856Z",
        "value": "28800"
      },
      "state": {
        "id": 1,
        "type": 1,
        "value": "NEW"
      },
      "tags": [],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": "2023-11-23T08:30:54.740722Z",
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    }
  },
  "operation": "UPDATE",
  "scenario_id": "CASE_UPDATED",
  "timestamp": "2023-11-23T08:30:58.193885908Z",
  "triggered_by": {
    "kind": "WORKFLOW",
    "workflow": {
      "execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
      "id": "1da523e5-0b8d-****-adb4-868f40677b50"
    }
  }
}

Use case example

One example of an event you can monitor with the Custom trigger is an automatic case description update. When the case description is set by a workflow, you can use the generated event to trigger a different workflow that will notify the case assignee or a Slack channel of the update.

  1. Use the Custom trigger. Add trigger conditions according to the example above.
  2. If the case is assigned, notify the assignee. Otherwise, notify the relevant Slack channel.

Custom trigger use case

Use the Link updated scenario to trigger a workflow whenever cases are linked, unlinked, or a link is updated.

Trigger condition example

You can add a condition for the workflow to execute only when a link is created.

Link updated trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "links": {
    "current": {
      "actor": {
        "kind": "USER",
        "user": {
          "email": "***@***.io"
        }
      },
      "created_at": "2023-07-03T11:45:32.181410Z",
      "description": "I think these cases are related",
      "first_case_id": 71,
      "second_case_id": 64,
      "updated_at": null
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenario_id": "LINK_UPDATED",
  "timestamp": "2023-07-03T11:45:32.199733160Z",
  "triggered_by": {
    "kind": "USER",
    "user": {
      "email": "***@***.io"
    }
  }
}

Use case example

When a link is created, you can use the generated event to trigger a workflow that will notify the case assignee of the cases linked to the case newly linked to their case.

  1. Use the Link updated trigger. Add a trigger condition for the workflow to execute only when a link is created.
  2. Retrieve information for both cases in the link.
  3. List the links for both cases in the newly created link.
  4. Notify the assignees of the other links associated with the case that was linked to theirs.

Link updated trigger use case

Tags updated

Use the Tags updated scenario to trigger a workflow whenever the tags of a case are updated.

Trigger condition example

You can add a condition for the workflow to execute only when the tags are updated by a workflow or the case assignee.

Tags updated trigger condition - tag added by workflow or case assignee

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "cases": {
    "current": {
      "assignee": "***@***.io",
      "category": "Malware",
      "created_at": "2023-07-04T07:30:34.071311Z",
      "description": "Case description",
      "id": 79,
      "pretty_id": "#79",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "3c108583-2c02-****-9610-d488bac571dd",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-07-04T07:30:34.071311Z",
        "value": "28800"
      },
      "state": {
        "id": 2,
        "type": 2,
        "value": "IN_PROGRESS"
      },
      "tags": [
        "Malicious observable"
      ],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": "2023-07-04T07:30:42.393278Z",
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    },
    "previous": {
      "assignee": "***@***.io",
      "category": "Malware",
      "created_at": "2023-07-04T07:30:34.071311Z",
      "description": "Case description.",
      "id": 79,
      "pretty_id": "#79",
      "reporter": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "3c108583-2c02-****-9610-d488bac571dd",
          "id": "1da523e5-0b8d-****-adb4-868f40677b50"
        }
      },
      "resolution_summary": {
        "details": "",
        "reason": ""
      },
      "runbook_id": "",
      "severity": {
        "id": 5,
        "value": "CRITICAL"
      },
      "sla": {
        "end_time": null,
        "start_time": "2023-07-04T07:30:34.071311Z",
        "value": "28800"
      },
      "state": {
        "id": 2,
        "type": 2,
        "value": "IN_PROGRESS"
      },
      "tags": [],
      "tasks": {
        "pending": 0
      },
      "title": "Malware Infection - Trojan Horse Detected",
      "updated_at": "2023-07-04T07:30:41.536989Z",
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    }
  },
  "operation": "UPDATE",
  "scenario_id": "CASE_TAGS_UPDATED",
  "timestamp": "2023-07-04T07:30:42.424070622Z",
  "triggered_by": {
    "kind": "WORKFLOW",
    "workflow": {
      "execution_id": "3c108583-2c02-****-9610-d488bac571dd",
      "id": "1da523e5-0b8d-****-adb4-868f40677b50"
    }
  }
}

Use case example

When a tag is added or updated, you can use the generated event to trigger a workflow that will link all the cases with the new tag to the updated one.

  1. Use the Tags updated workflow trigger. No trigger condition is required for this example.
  2. Loop over the tags added or updated and use the Query cases step to retrieve a list of the workflows with this tag.
  3. Loop over the retrieved cases and link them to the case with updated tags. Use the tag name as the link description.

Tags updated trigger use case

Custom field updated

Use the Custom field updated scenario to trigger a workflow whenever a custom field of a case is updated.

Trigger condition example

You can add a condition for the workflow to execute only when the custom field is updated by a workflow.

Custom field updated trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "custom_fields": {
    "current": {
      "case_id": 75,
      "key": "tier",
      "schema": {
        "type": 2
      },
      "value": ""
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenario_id": "CUSTOM_FIELD_UPDATED",
  "timestamp": "2023-07-04T13:05:42.453672953Z",
  "triggered_by": {
    "kind": "USER",
    "user": {
      "email": "***@***.io"
    }
  }
}

Use case example

When a custom field is added or updated, you can use the generated event to trigger a workflow that will notify the case assignee if the case was assigned or send a message in the relevant slack channel if the case wasn't assigned yet.

  1. Use the Custom field updated workflow trigger. No trigger condition is required for this example.
  2. Retrieve the case details to check whether the case was assigned.
  3. If assigned, notify the assignee of the custom field addition or update. Otherwise, send a message to the relevant Slack channel. In this example, each tier of analysts has its own Slack channel.

Custom field updated trigeer use case

User mentioned

Use the User mentioned scenario to trigger a workflow whenever one or more users are mentioned in a comment in the case timeline. The user or users can be mentioned in a comment that's added manually by typing @ and selecting a user from the list or automatically by using the Add comment to case step. The syntax to mention a user in an automatic comment is: <m:user@company.com>. The user email can also be specified from the workflow context.
Mention a user from the context in the Add comment to case step

Trigger condition example

You can add a condition for the workflow to execute only when the user or users are mentioned by a user. This can be useful if you want to treat comments added by a user differently than comments added by a workflow.

User mentioned trigger condition

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "operation": "CREATE",
  "scenario_id": "USER_MENTIONED",
  "timestamp": "2023-08-03T10:17:55.025121927Z",
  "triggered_by": {
    "kind": "WORKFLOW",
    "workflow": {
      "execution_id": "eae79217-3d8c-****-b0ca-fe75fad23b43",
      "id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
    }
  },
  "user_mentions": {
    "current": {
      "context": {
        "id": 1,
        "value": "CASE_TIMELINE_COMMENT"
      },
      "entity_id": 363,
      "entity_type": {
        "id": 1,
        "value": "CASE"
      },
      "full_text": "Automatic comment <m:user@company.io> <m:user2@company.io>",
      "mentioned_by": {
        "kind": "WORKFLOW",
        "workflow": {
          "execution_id": "eae79217-****-****-b0ca-fe75fad23b43",
          "id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
        }
      },
      "mentioned_users": [
        "user@company.io",
        "user2@company.io"
      ],
      "timestamp": "2023-08-03T10:17:55.024959065Z"
    }
  }
}

Use case example

When a user or users are mentioned in a case timeline comment, you can use the generated event to trigger a workflow that will notify the mentioned user or users via Slack.

  1. Use the User mentioned workflow trigger. No trigger condition is required for this example.
  2. Retrieve the case details to have the case title available to use in the Slack message.
  3. Loop over the users mentioned in the comment and send each of them a Slack message with the relevant information.

User mentioned trigger use case

Event updated

Use the Event updated scenario to trigger a workflow whenever an event is attached or detached to/from a case.

Note
If the case was created by a workflow triggered by an integration event, the trigger event will automatically be attached to the case.


Trigger condition example

You can add a condition for the workflow to execute only when the event was attached automatically and the event's pretty name doesn't say it's a duplicate.

Event updated trigger conditions

Trigger event example

This is an example of the trigger event this scenario will generate:

{
  "attachable_events": {
    "current": {
      "case_id": 916,
      "event_type": 1,
      "id": "5dde59e0-400e-****-b345-e1eb3c28a4a0",
      "name": "Duplicate event",
      "pretty_id": "AA-00****",
      "timestamp": "2023-09-27T11:08:36.588661Z",
      "type_details_json": {},
      "workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
    },
    "previous": null
  },
  "operation": "CREATE",
  "scenario_id": "CASE_EVENT_UPDATED",
  "timestamp": "2023-09-27T11:08:40.215319425Z",
  "triggered_by": {
    "kind": "WORKFLOW",
    "workflow": {
      "execution_id": "c14f3898-d906-****-83ee-f082f9cfc625",
      "id": "7ad1413f-1cec-****-a822-12fa4b376358"
    }
  }
}

Use case example

When an event is attached or detached to/from a case, you can use the Event updated trigger scenario to trigger a workflow that will assign a user input task to the case for extra visibility.

  1. Use the Event updated workflow trigger. Use the trigger conditions from the example above.
  2. Extract the case ID from the trigger event to get the case details and assign a user input task to the case.

Event updated trigger use case



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.