- 21 Mar 2024
- 19 Minutes to read
- DarkLight
Workflow triggers
- Updated on 21 Mar 2024
- 19 Minutes to read
- DarkLight
Use key events from the case lifecycle to trigger automation workflows. For example, create a workflow triggered when an observable is added to a case and automatically enriches it.
Below is a list of the events that can be used as workflow triggers. You can add trigger conditions to limit the scenarios in which workflows using these triggers will execute. Examples of use cases and trigger conditions are available for each event, as well as an example of the trigger event.
- Assigned to a teammate
- Attachment added
- Category changed
- Comment added
- Custom
- Custom field updated
- Event updated
- Link updated
- New case created
- Note updated
- Observable added
- Observable updated
- Severity changed
- State changed
- Tags updated
- User mentioned
New case created
Use the New case created scenario to trigger a workflow when any case is created.
Trigger condition example
You can add a condition for the workflow to execute only for a specific category of cases.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "Demo",
"updatedTime": null
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "CASE_CREATED",
"timestamp": "2023-04-21T17:30:13.191079973Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Use case example
When a case is created, you can run additional checks on its properties. For example, if the case was created due to a user's suspicious activity, you may want to check whether it's a power user with elevated privileges (VIP). If so, the incident should be prioritized, and you may wish to notify additional stakeholders.
- Use the New case created trigger and add a trigger condition for the workflow to execute only when the case category is Identity & Access Management (more on case categories).
- Check whether the user is a power user (VIP) by checking group memberships in your organization's identity and access management service, for example, Okta.
- If the user is a power user (VIP), raise the case severity to be critical, add a comment with the findings, and change the case state to in progress.
Note updated
Use the Note updated scenario to trigger a workflow each time a note is added, updated, or deleted in a case.
Trigger condition example
You can add a condition for the workflow to execute only when the note is updated by a user.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"notes": {
"current": {
"case_id": 1970,
"content": "<p>The note content.</p>",
"created_at": "2024-01-10T14:54:26.297023Z",
"created_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"id": "8d509422-ae66-****-bd17-e04dfad43a65",
"title": "New note",
"updated_at": null,
"updated_by": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "NOTE_UPDATED",
"timestamp": "2024-01-10T14:54:26.326555964Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Use case example
When a note is created, updated, or deleted, you may want to execute a workflow that informs the case assignee.
- Use the Note updated trigger scenario. Add trigger conditions as required.
- Use the Get case details step to retrieve additional information about the case.
- Add a condition to check whether the case assignee updated the note. If not, send a Slack message to the case assignee to inform them of the update.
Assigned to a teammate
Use the Assigned to a teammate scenario to trigger a workflow whenever a case is assigned.
Trigger condition example
You can add a condition for the workflow to execute only if a team member assigned a case to someone other than themselves.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:36.619305Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:20.119589Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_ASSIGNEE_UPDATED",
"timestamp": "2023-04-22T08:30:36.638093212Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Use case example
When a case is assigned, you may want to execute a workflow that informs the assignee and asks them to confirm that they will handle it.
- Use the Assigned to a teammate trigger and add a trigger condition for the workflow to execute only when a user didn't assign a case to themselves.
- The assignee is requested to confirm the case assignment.
- If the confirmation request times out, the case is assigned to the team lead to make sure the case is being handled properly.
Severity changed
Use the Severity changed scenario to trigger a workflow whenever there's a modification in the case severity.
Trigger condition example
You can add a condition for the workflow to execute only when the severity rises.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 5,
"value": "SEVERITY_ID_CRITICAL"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:50.643336Z"
},
"previous": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:45.912276Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_SEVERITY_UPDATED",
"timestamp": "2023-04-18T09:06:50.695505597Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Use case example
When the severity of a case is updated to critical, you can notify one of the on-call engineers for immediate action.
- Use the Severity changed trigger and add a trigger condition for the workflow to execute only when the case severity is updated to critical.
- Loop over the list of on-call engineers and ask them to review the case and take immediate action if required.
- Assign the case to the first on-call engineer that confirms they are available to review it.
Observable added
Use the Observable added scenario to trigger a workflow whenever an observable is added to a case.
Trigger condition example
You can add a condition for the workflow to execute only for observables that are IP addresses.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"associatedObservable": {
"current": {
"caseId": 3,
"isPinned": false,
"observable": {
"description": "",
"firstObserved": "2023-04-21T18:20:06.643786Z",
"id": 5,
"lastObserved": "2023-04-21T18:20:06.643786Z",
"reputation": 2,
"value": {
"ip": "9.9.9.9"
}
},
"witnessedAt": "2023-04-21T18:20:06.643786Z"
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ASSOCIATED_OBSERVABLE_CREATED",
"timestamp": "2023-04-21T18:20:06.672584658Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Use case example
When an observable is added to a case, the generated event can automatically trigger a workflow that will enrich it.
- Use the Observable added trigger and add a trigger condition for the workflow to execute only when the observable is an IP address.
- Enrich the observable with multiple services simultaneously.
- Normalize the observable score and use it as the verdict. For example, the score can represent the count of services flagging the observable as malicious. If the observable verdict is malicious, you may want to consider raising the case severity.
Observable updated
Use the Observable updated scenario to trigger a workflow for every update of an observable, regardless of whether it's associated with any cases.
Trigger condition example
You can add a condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"observables": {
"current": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 5,
"name": "MAY_NOT_BE_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
},
"previous": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 1,
"name": "VERY_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
}
},
"operation": "UPDATE",
"scenario_id": "OBSERVABLE_UPDATED",
"timestamp": "2023-07-03T10:18:11.509992672Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Use case example
When the reputation of an observable is updated to indicate that it may not be safe (or that it is unsafe), you can use the generated event to trigger a workflow that will update the timelines and the assignees of all the cases the observable is associated with.
- Use the Observable updated trigger and add a trigger condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.
- Retrieve all cases the observable is associated with.
- Loop over the retrieved cases, add a comment to the timeline of each case, and send a message to the case assignee.
State changed
Use the State changed scenario to trigger a workflow for every case transition from state to state.
Trigger condition example
You can add a condition for the workflow to execute only when the case transitions to a specific state.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 3,
"value": "STATE_ID_ON_HOLD"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:31:28.513722Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:30:25.398745Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_STATE_UPDATED",
"timestamp": "2023-04-21T17:31:28.543872751Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Use case example
When the case state changes from new to in progress, you can use the generated event to trigger a workflow that will assign the case to a team member.
- Use the State changed trigger and add a trigger condition for the workflow to execute only when the case transitions from the new state to in progress.
- Randomly select a team member to assign the case and notify them via Slack.
Attachment Added
Use the Attachment Added scenario to trigger a workflow whenever an attachment is added to a case.
Trigger condition example
You can add a condition for the workflow to execute only if the attachment is an image.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"attachments": {
"current": {
"caseId": 3,
"createdAt": "2023-05-07T10:28:33.421020Z",
"fileName": "200-0-4.jpeg",
"id": "ed2d9ce4-b603-4e80-93a2-c0960ca27123",
"mimeType": "image/jpeg",
"relativePath": "0ba55c55-d47e-4f07-9f10-15f47c1ae129/cases/3:200-0-4.jpe",
"size": 24971
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ATTACHMENT_CREATED",
"timestamp": "2023-05-07T10:28:33.440336411Z",
"triggeredBy": {
"kind": "USER",
"user": {
"email": "***@***.***"
}
}
}
Use case example
When an attachment is added to a case, you can use the generated event to trigger a workflow to check whether the case assignee needs to be notified.
- Use the Attachment Added trigger. Add trigger conditions as necessary.
- Retrieve the case information to check whether the user who added the attachment is the case assignee.
- If not, notify the case assignee of the new attachment. You may also want to send them a link they can use to download the attachment.
Category changed
Use the Category changed scenario to trigger a workflow when the category of a case is set or updated.
Trigger condition example
You can add a condition for the workflow to execute only when the case category is changed to a specific value. You can create different workflows to handle different case categories.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": null,
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_CATEGORY_UPDATED",
"timestamp": "2023-11-23T08:30:54.797214680Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
Use case example
When the case category is updated, you can use the generated event to trigger a workflow that will add category-specific custom fields to the case. This example is based on a template.
- Use the Category changed trigger. Trigger conditions aren't required.
- List the current custom fields of the case and compare them with the custom fields the case should have based on its category.
- Loop over the missing custom fields and add them.
Comment added
Use the Comment added scenario to trigger a workflow whenever a comment is added to a case timeline.
Trigger condition example
You can add a condition for the workflow to execute only if the comment was added automatically during workflow execution.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"comments": {
"current": {
"case_id": 71,
"content": "comment",
"id": "9a1d7276-44cd-4701-****-6c4ac020d440"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "COMMENT_CREATED",
"timestamp": "2023-07-03T11:21:16.739582950Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Use case example
When a comment is added to a case, you can use the generated event to trigger a workflow that will notify the assignee.
- Use the Comment Added trigger. Add trigger conditions as necessary.
- Retrieve the case information to check whether the case was assigned.
- If applicable, notify the case assignee of the new comment.
Custom
Use the Custom trigger scenario to trigger a workflow upon case updates to which the rest of the triggers don't apply.
Trigger condition example
You can set a condition for the workflow to execute only when the case description has been updated by a workflow and was initially empty.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "A user's computer was found infected with a Trojan horse malware variant. The malware is capable of stealing sensitive information and executing unauthorized commands.",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:58.136911Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_UPDATED",
"timestamp": "2023-11-23T08:30:58.193885908Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
Use case example
One example of an event you can monitor with the Custom trigger is an automatic case description update. When the case description is set by a workflow, you can use the generated event to trigger a different workflow that will notify the case assignee or a Slack channel of the update.
- Use the Custom trigger. Add trigger conditions according to the example above.
- If the case is assigned, notify the assignee. Otherwise, notify the relevant Slack channel.
Link updated
Use the Link updated scenario to trigger a workflow whenever cases are linked, unlinked, or a link is updated.
Trigger condition example
You can add a condition for the workflow to execute only when a link is created.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"links": {
"current": {
"actor": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"created_at": "2023-07-03T11:45:32.181410Z",
"description": "I think these cases are related",
"first_case_id": 71,
"second_case_id": 64,
"updated_at": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "LINK_UPDATED",
"timestamp": "2023-07-03T11:45:32.199733160Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Use case example
When a link is created, you can use the generated event to trigger a workflow that will notify the case assignee of the cases linked to the case newly linked to their case.
- Use the Link updated trigger. Add a trigger condition for the workflow to execute only when a link is created.
- Retrieve information for both cases in the link.
- List the links for both cases in the newly created link.
- Notify the assignees of the other links associated with the case that was linked to theirs.
Tags updated
Use the Tags updated scenario to trigger a workflow whenever the tags of a case are updated.
Trigger condition example
You can add a condition for the workflow to execute only when the tags are updated by a workflow or the case assignee.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [
"Malicious observable"
],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:42.393278Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description.",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:41.536989Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_TAGS_UPDATED",
"timestamp": "2023-07-04T07:30:42.424070622Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
Use case example
When a tag is added or updated, you can use the generated event to trigger a workflow that will link all the cases with the new tag to the updated one.
- Use the Tags updated workflow trigger. No trigger condition is required for this example.
- Loop over the tags added or updated and use the Query cases step to retrieve a list of the workflows with this tag.
- Loop over the retrieved cases and link them to the case with updated tags. Use the tag name as the link description.
Custom field updated
Use the Custom field updated scenario to trigger a workflow whenever a custom field of a case is updated.
Trigger condition example
You can add a condition for the workflow to execute only when the custom field is updated by a workflow.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"custom_fields": {
"current": {
"case_id": 75,
"key": "tier",
"schema": {
"type": 2
},
"value": ""
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CUSTOM_FIELD_UPDATED",
"timestamp": "2023-07-04T13:05:42.453672953Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Use case example
When a custom field is added or updated, you can use the generated event to trigger a workflow that will notify the case assignee if the case was assigned or send a message in the relevant slack channel if the case wasn't assigned yet.
- Use the Custom field updated workflow trigger. No trigger condition is required for this example.
- Retrieve the case details to check whether the case was assigned.
- If assigned, notify the assignee of the custom field addition or update. Otherwise, send a message to the relevant Slack channel. In this example, each tier of analysts has its own Slack channel.
User mentioned
Use the User mentioned scenario to trigger a workflow whenever one or more users are mentioned in a comment in the case timeline. The user or users can be mentioned in a comment that's added manually by typing @
and selecting a user from the list or automatically by using the Add comment to case step. The syntax to mention a user in an automatic comment is: <m:user@company.com>
. The user email can also be specified from the workflow context.
Trigger condition example
You can add a condition for the workflow to execute only when the user or users are mentioned by a user. This can be useful if you want to treat comments added by a user differently than comments added by a workflow.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"operation": "CREATE",
"scenario_id": "USER_MENTIONED",
"timestamp": "2023-08-03T10:17:55.025121927Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-3d8c-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"user_mentions": {
"current": {
"context": {
"id": 1,
"value": "CASE_TIMELINE_COMMENT"
},
"entity_id": 363,
"entity_type": {
"id": 1,
"value": "CASE"
},
"full_text": "Automatic comment <m:user@company.io> <m:user2@company.io>",
"mentioned_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-****-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"mentioned_users": [
"user@company.io",
"user2@company.io"
],
"timestamp": "2023-08-03T10:17:55.024959065Z"
}
}
}
Use case example
When a user or users are mentioned in a case timeline comment, you can use the generated event to trigger a workflow that will notify the mentioned user or users via Slack.
- Use the User mentioned workflow trigger. No trigger condition is required for this example.
- Retrieve the case details to have the case title available to use in the Slack message.
- Loop over the users mentioned in the comment and send each of them a Slack message with the relevant information.
Event updated
Use the Event updated scenario to trigger a workflow whenever an event is attached or detached to/from a case.
Trigger condition example
You can add a condition for the workflow to execute only when the event was attached automatically and the event's pretty name doesn't say it's a duplicate.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"attachable_events": {
"current": {
"case_id": 916,
"event_type": 1,
"id": "5dde59e0-400e-****-b345-e1eb3c28a4a0",
"name": "Duplicate event",
"pretty_id": "AA-00****",
"timestamp": "2023-09-27T11:08:36.588661Z",
"type_details_json": {},
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CASE_EVENT_UPDATED",
"timestamp": "2023-09-27T11:08:40.215319425Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "c14f3898-d906-****-83ee-f082f9cfc625",
"id": "7ad1413f-1cec-****-a822-12fa4b376358"
}
}
}
Use case example
When an event is attached or detached to/from a case, you can use the Event updated trigger scenario to trigger a workflow that will assign a user input task to the case for extra visibility.
- Use the Event updated workflow trigger. Use the trigger conditions from the example above.
- Extract the case ID from the trigger event to get the case details and assign a user input task to the case.