This table contains all the possible event and action combinations for email notifications. If the condition and property fields are blank, there is no modifier for that notification type. You can print this page and use it as a checklist to help you select notifications and confirm that you entered all the needed notifications in Workbench.
Notify me for this event... |
and this action... |
with this condition... |
...and this specific property |
---|---|---|---|
Incident |
is created |
incident severity |
is critical is not critical |
Incident |
is closed |
reason to close |
activity blocked activity failed benign false positive IT misconfiguration other phishing simulation possible policy violation PUP/PUA testing |
Incident |
is closed |
incident severity |
is critical is not critical |
Incident |
is downgraded |
incident severity |
is critical is not critical |
Incident |
is assigned to my org |
incident severity |
is critical is not critical |
Investigation |
is created |
||
Investigation |
is closed |
||
Investigation |
has an alert added |
||
Investigation |
is assigned to my org |
||
Comment |
is created |
||
Resilience recommendation |
is created |
||
Resilience recommendation |
is updated |
||
Investigative action |
is assigned to my org |
||
Investigative action |
is assigned to me |
||
Remediation action |
is assigned to my org |
remediation type |
reset credentials contain hosts contain infected removable media delete malicious files disable and modify AWS access keys mitigate vulnerability other remediation remove and block email forwarding address remove malicious email disable user account remove inbox rules for known compromised accounts block malicious domains, subdomains, URLs, and IPs block sender address block sender domain block known bad hashes delete compromised instances reimage compromised hosts |
Remediation action |
is completed |
||
Remediation action |
is automated |
remediation action type |
block known bad hashes contain hosts remove malicious email disable user account |
Remediation action |
is assigned to me |
||
Security device |
has a health status change |
||
Assembler |
has a health status change |
||
Incident findings |
are completed |
||
Verify action |
is assigned to my org |
||
Verify action |
is assigned to me |
||
Notify action |
is assigned to my org |
||
User account |
is activated |
Related articles: