This table contains all the possible event and action combinations for email notifications. If the condition and property fields are blank, there is no modifier for that notification type. You can print this page and use it as a checklist to help you select notifications and confirm that you entered all the needed notifications in Workbench.

Notify me for this event...

and this action...

with this condition...

...and this specific property

Incident

is created

incident severity

is critical

is not critical

Incident

is closed

reason to close

activity blocked

activity failed

benign

false positive

IT misconfiguration

other

phishing simulation

possible policy violation

PUP/PUA

testing

Incident

is closed

incident severity

is critical

is not critical

Incident

is downgraded

incident severity

is critical

is not critical

Incident

is assigned to my org

incident severity

is critical

is not critical

Investigation

is created

   

Investigation

is closed

   

Investigation

has an alert added

   

Investigation

is assigned to my org

   

Comment

is created

   

Resilience recommendation

is created

   

Resilience recommendation

is updated

   

Investigative action

is assigned to my org

   

Investigative action

is assigned to me

   

Remediation action

is assigned to my org

remediation type

reset credentials

contain hosts

contain infected removable media

delete malicious files

disable and modify AWS access keys

mitigate vulnerability

other remediation

remove and block email forwarding address

remove malicious email

disable user account

remove inbox rules for known compromised accounts

block malicious domains, subdomains, URLs, and IPs

block sender address

block sender domain

block known bad hashes

delete compromised instances

reimage compromised hosts

Remediation action

is completed

   

Remediation action

is automated

remediation action type

block known bad hashes

contain hosts

remove malicious email

disable user account

Remediation action

is assigned to me

   

Security device

has a health status change

   

Assembler

has a health status change

   

Incident findings

are completed

   

Verify action

is assigned to my org

   

Verify action

is assigned to me

   

Notify action

is assigned to my org

   

User account

is activated

   

 

Related articles: