When you connect Workbench to an email ticketing system, you can send organization-level notifications to that ticketing system to track and manage, just like you do other tickets in your environment. This guide is the first step of a larger process to enable organization notifications. After completing the steps on this page, you will be instructed to go to Manage Organization Notifications in Workbench to set up your actual notifications.

Supported Ticketing Systems

You can connect the following ticketing systems to Workbench:

Asana
Jira
Request Tracker for Incident Response
Splunk On-Call
Striven

Prerequisites

You must have a destination email address for your ticketing system before you begin. This is the email that will receive and process the notifications from Workbench and route them to your ticketing system.
You must be an organization admin to integrate a ticketing system with Workbench.

Quick Links

Setup includes the following steps (select any step for detailed instructions):

Add a Ticketing System in Workbench
Add Your Organization Notifications
Ticketing Template Reference

Step 1: Add a Ticketing System in Workbench

Make sure you have the destination email address for your ticketing system before you begin these steps.

Log in to Workbench.
Select Organization Settings > My Organization.
- If you have multiple organizations, you must also select the appropriate organization name from the list.
Scroll down and select the Integrations tab.
Under Email Ticketing Systems, select Add a ticketing destination.
Enter the name of your ticketing system (you might enter "Jira", "Asana", etc.) and the email address to receive the ticket information from Workbench.
Select Add.
Look for an Enabled banner.
Now, select the Test connection link to test the connection.
Check the receiving email and its ticketing system destination to be sure the test worked.
Repeat this process to add any other ticketing systems you wish to integrate.

Step 2: Add Your Organization Notifications

Now that the integration is configured, you can begin setting up your organization notifications. Go to Manage Organization Notifications for Workbench for instructions on adding notifications.

Note

There will be certain organization notifications that are enabled by default, but you can edit those by following the instructions in the linked guide above. For a list of default notifications, see Default Workbench Notifications.

Ticketing Template Reference

All email ticketing notifications are delivered in plain text format and are sent from the Expel SOC (soc@expel.io).

The HTML and Handlebars structures of the most common notifications are outlined below, should you need to understand how to parse and trigger automated ticketing workflows based on these notifications. If a particular notification format is not shown here, please contact Support for further assistance.

Select a link to go directly to your desired template:

Expel Alert Opened
Expel Alert Closed
Investigation Opened
Investigation Closed
Verify Action Assigned
Incident Opened
Incident Closed
Comment Added
Remediation Action Assigned
Auto Remediation in Progress
Remediation Completed
Unhealthy Security Device

Expel Alert Opened

A {{current.expel_severity_display}} 
{{#if (condition current.alert_type "==" "ALERT_TYPE_PHISHING_SUBMISSION")}}
phishing
{{/if}}
alert was identified in your environment.
<br/><br/>
{{current.expel_name}}
<br/>
Expel alert ID: {{current.id}}
<br/>
{{meta.wb_url}}/activity/alerts/{{current.id}}
<br/><br/>
NEXT STEPS
<br/>
- No action required right now.
<br/>
- Stay alert for additional notifications, since the status of the alert may change and we may recommend more next steps as the scope becomes clear.
<br/><br/> 
ALERT DETAILS
<br/>
{{#if (condition current.alert_type "==" "ALERT_TYPE_HUNTING")}}
Expel alert: {{current.expel_name}}
<br/>
Expel alert time: {{current.expel_alert_time}}
{{else if (condition current.alert_type "!=" "ALERT_TYPE_PHISHING_SUBMISSION")}}
Vendor: {{vendor.name}}
<br/>
{{/if}}
{{#if (condition current.alert_type "!=" "ALERT_TYPE_HUNTING")}}
Vendor alert time: {{current.expel_alert_time}}
{{/if}}

Expel Alert Closed

{{#if (condition current.alert_type "==" "ALERT_TYPE_PHISHING_SUBMISSION")}}
A phishing
{{else}}
An
{{/if}}
alert was closed in your environment: {{current.close_reason_display}}.
<br/><br/>
{{current.expel_name}}
<br/>
Expel alert ID: {{current.id}}
<br/>
{{meta.wb_url}}/activity/alerts/{{current.id}}
<br/><br/>
CLOSED REASON
<br/>
{{current.close_reason_display}}
<br/>

<br/>
{{#if (condition current.alert_type "==" "ALERT_TYPE_HUNTING")}}
Expel alert: {{current.expel_name}}
<br/>
Expel alert time: {{current.expel_alert_time}}
{{else if (condition current.alert_type "!=" "ALERT_TYPE_PHISHING_SUBMISSION")}}
Vendor: {{vendor.name}}
<br/>
{{/if}}
{{#if (condition current.alert_type "!=" "ALERT_TYPE_HUNTING")}}
Vendor alert time: {{current.expel_alert_time}}
{{/if}}

Investigation Opened

An investigation was kicked off in your environment.
<br/><br/>

<a href="{{meta.wb_url}}/activity/investigations/{{current.short_link}}/actions">{{current.title}}</a>
<br/><br/>

{{#if meta.is_detect_only}}
Next Steps
<br/>
{{current.next_steps}}
{{else}}
Next Steps
<br/>
- Check Workbench for more details. We'll provide more details shortly.
<br/>
- Watch for remediation actions.
{{/if}}
<br/><br/>

{{#if meta.is_detect_only}}
SUMMARY
<br/>
{{current.open_summary}}
<br/>
<br/>
{{else if current.summary}}
SUMMARY
<br/>
{{current.summary}}
<br/>
<br/>
{{/if}}

{{#unless current.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Detection: {{current.detection_type_display}}
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

DETAILS
<br/>
Created by: {{created_by_user_account.display_name}}

Investigation Closed

We closed an investigation: {{current.decision_display}}
<br/>
<br/>
<a href="{{meta.wb_url}}/activity/investigations/{{current.short_link}}/actions">{{current.title}}</a>
<br/>
<br/>

Next Steps 
<br/>
• No action required right now.
<br/>
• If you have questions about this investigation, please contact the SOC or your engagement manager.
<br/><br/>

CLOSE REASON
<br/>
{{current.decision_display}}
<br/><br/>

{{#unless current.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Detection: {{current.detection_type_display}}
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

DETAILS
<br/>
Closed by: {{updated_by_user_account.display_name}}

Verify Action Assigned

A verify action was assigned to your organization.
<br/>
<br/>

{{#if investigation}}
<a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
{{else}}
<a href="{{meta.wb_url}}/alerts/{{current.expel_alert_id}}/actions?investigativeActionId={{current.id}}">Expel Alert</a>
{{/if}}
<br/>
<br/>

Next Steps
<br/>  
- Verify Activity (see below).
<br/>
- Log into Workbench to report the outcome of this investigative action.
<br/>
<br/>
VERIFY ACTIVITY
<br/>
<br/>
{{#markdown}}{{current.instructions}}{{/markdown}}
<br/>
<br/>
DETAILS
<br/>
<br/>
{{#markdown}}{{current.reason}}{{/markdown}}
<br/>
<br/>
Created by: {{created_by_actor.display_name}}
<br/>
<br/>
When you're done, please log into the Expel Workbench to complete the action.
<br/><br/>

{{#unless investigation.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

Incident Opened

{{#if (condition current.analyst_severity "==" "ANALYST_SEVERITY_CRITICAL")}}
A critical {{current.threat_type_display}}  incident has been identified in your environment.
{{else}}
{{#if current.threat_type_display}}A{{else}}An{{/if}} {{current.threat_type_display}} incident has been identified in your environment.
{{/if}}
<br/>
<br/>
<a href="{{meta.wb_url}}/activity/investigations/{{current.short_link}}/actions">{{current.title}}</a>
<br/>
<br/>

{{#if meta.is_detect_only}}
Next Steps
<br/>
{{current.next_steps}}
{{else}}
Next Steps
<br/>
- Check Workbench for more details. We'll provide more details shortly.
<br/>
- Watch for remediation actions.
{{/if}}
<br/>
<br/>

{{#if meta.is_detect_only}}
SUMMARY
<br/>
{{current.open_summary}}
<br/>
<br/>
{{else if current.summary}}
SUMMARY
<br/>
{{current.summary}}
<br/>
<br/>
{{/if}}

{{#unless current.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Detection: {{current.detection_type_display}}
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

DETAILS
<br/>
Created by: {{created_by_user_account.display_name}}

Incident Closed

{{#if (condition current.analyst_severity "==" "ANALYST_SEVERITY_CRITICAL")}}
Critical
{{/if}}
Incident closed
<br/><br/>
<a href="{{meta.wb_url}}/activity/investigations/{{current.short_link}}/actions">{{current.title}}</a>
<br/><br/>

NEXT STEPS
<br/>
• No action required right now.
<br/>
• If you have questions about this incident, please contact the SOC or your engagement manager.
<br/><br/>

{{#if meta.is_detect_only}}
SUMMARY
<br/>
{{current.open_summary}}
<br/>
<br/>
{{else if current.summary}}
SUMMARY
<br/>
{{current.summary}}
<br/>
<br/>
{{/if}}

{{#unless current.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Detection: {{current.detection_type_display}}
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

DETAILS
<br/>
Closed by: {{updated_by_user_account.display_name}}

Comment Added

There's a new comment on the 
{{#if investigation.is_incident}}
incident:
{{else}}
investigation:
{{/if}}
<br/><br/>

<a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/actions">{{investigation.title}}</a>
<br/><br/>

Next steps
<br/>
- Acknowledge and respond, if appropriate
<br/>
<br/>

COMMENT
<br/>
{{current.comment}}
<br/>
<br/>

DETAILS
<br/>
Commenter: {{updated_by_actor.display_name}}
<br/>
Added: {{current.created_at}}
<br/>
{{#if investigation.lead_expel_alert_id}}
Expel alert ID: {{investigation.lead_expel_alert_id}}
{{/if}}

Remediation Action Assigned

{{#unless remediation_action.has_manual_fallback}}A {{#if investigation.is_critical}}critical {{/if}}remediation action was assigned to your organization - {{current.action}}{{/unless}}
{{#if remediation_action.has_manual_fallback}}Expel SOC attempting manual fallback - {{current.action}}{{/if}}
<br/>
<br/>
{{#if (and has_failed_assets (not remediation_action.has_manual_fallback))}} Automation failed, manual remediation needed. {{/if}}
{{#if remediation_action.has_manual_fallback}} Automation failed, Expel SOC attempting manual fallback. {{/if}}
<br/>
<br/>
<a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
<br/>
<br/>
<strong>Remediation Details:</strong>
<br/>
<br/>
{{#markdown}}{{current.action}}{{/markdown}}
<br/>
<br/>
{{#replace-all "\n" "<br />"}}{{detail_markdown}}{{/replace-all}}
<br/>
<br/>
{{#if investigation.is_incident}}
<strong>Incident details:</strong>
<br/>
<br/>
Detection:  {{investigation.detection_type}}
<br/>
Incident name: <a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
<br/>
Time detected: {{investigation.created_at}}
<br/>
Workbench link: {{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings
<br/>
<br/>
{{/if}}
<strong>Details:</strong>
<br/>
<br/>
Created by: {{created_by_actor.display_name}}
<br/><br/>

{{#unless investigation.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

Auto Remediation in Progress

Automated remediation action in progress- {{current.action}}
<br/>
<br/>
{{#if has_failed_assets}} Automation failed, manual remediation needed. {{/if}}
<br/>
<br/>
<a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
<br/>
<br/>
<strong>Remediation Details:</strong>
<br/>
<br/>
{{#markdown}}{{current.action}}{{/markdown}}
<br/>
<br/>
{{#replace-all "\n" "<br />"}}{{detail_markdown}}{{/replace-all}}
<br/>
<br/>
{{#if investigation.is_incident}}
<strong>Incident details:</strong>
<br/>
<br/>
Detection:  {{investigation.detection_type}}
<br/>
Incident name: {{investigation.title}}
<br/>
Time detected: {{investigation.created_at}}
<br/>
Workbench link: {{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings
<br/>
<br/>
{{/if}}
<strong>Details:</strong>
<br/>
<br/>
Created by: {{created_by_actor.display_name}}
<br/><br/>

{{#unless investigation.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

Remediation Completed

A {{#if investigation.is_critical}}critical {{/if}}remediation action for your organization was completed - {{current.action}}
<br/>
<br/>
<a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
<br/>
<br/>
<strong>Remediation Details:</strong>
<br/>
<br/>
{{#markdown}}{{current.action}}{{/markdown}}
<br/>
<br/>
{{#replace-all "\n" "<br />"}}{{detail_markdown}}{{/replace-all}}
<br/>
<br/>
{{#if investigation.is_incident}}
<strong>Incident details:</strong>
<br/>
<br/>
Detection:  {{investigation.detection_type}}
<br/>
Incident name: <a href="{{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings">{{investigation.title}}</a>
<br/>
Time detected: {{investigation.created_at}}
<br/>
Workbench link: {{meta.wb_url}}/activity/investigations/{{investigation.short_link}}/findings
<br/>
<br/>
{{/if}}
<strong>Details:</strong>
<br/>
<br/>
Created by: {{created_by_actor.display_name}}
<br/><br/>

{{#unless investigation.lead_expel_alert_id }}
INITIAL LEAD
<br/>
Organization reported
{{else}}
INITIAL LEAD
<br/>
Expel alert name: {{lead_expel_alert.expel_name}}
<br/>
Expel alert ID: {{lead_expel_alert.id}}
<br/>
Expel alert time: {{lead_expel_alert.created_at}}
{{/unless}}
<br/><br/>

Unhealthy Security Device

Security device {{current.name}} has a problem: {{security_device.problem}}
<br/><br/>

Integrate Your Email Ticketing System with Workbench