This table contains all the possible event and action combinations for user notifications. If the condition and property fields are blank, there is no modifier for that notification type. You can print this page and use it as a checklist to help you select notifications and confirm that you entered all the needed notifications in Workbench.

Notify me for this event...

and this action...

with this condition...

...and this specific property

Incident

is created

incident severity

is critical

is not critical

Incident

is closed

reason to close

activity blocked

activity failed

benign

false positive

IT misconfiguration

other

Phishing simulation

possible policy violation

PUP/PUA

testing

Incident

is closed

incident severity

is critical

is not critical

Incident

is downgraded

incident severity

is critical

is not critical

Incident

is assigned to my org

incident severity

is critical

is not critical

Investigation

is created

Investigation

is closed

Investigation

has an alert added

Investigation

is assigned to my org

Comment

is created

Resilience recommendation

is created

Resilience recommendation

is updated

Investigative action

is assigned to my org

Investigative action

is assigned to me

Remediation action

is assigned to my org

remediation type

reset credentials

contain hosts

contain infected removable media

delete malicious files

disable and modify AWS access keys

mitigate vulnerability

other remediation

remove and block email forwarding address

remove malicious email

disable user account

remove inbox rules for known compromised accounts

block malicious domains, subdomains, URLs, and IPs

block sender address

block sender domain

block known bad hashes

delete compromised instances

reimage compromised hosts

Remediation action

is completed

Remediation action

is automated

remediation action type

block known bad hashes

contain hosts

remove malicious email

disable user account

Remediation action

is assigned to me

Security device

has a health status change

Assembler

has a health status change

Incident findings

are completed

Verify action

is assigned to my org

Verify action

is assigned to me

Notify action

is assigned to my org

User account

is activated

For more information about user notifications, see the User notifications article.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!