This table contains all the possible event and action combinations for organization notifications. If the condition fields are blank, there is no modifier for that notification type. The Notify through this path column is blank so that you can fill in the notification channel(s) of your choice.

You can print this page and use it as a checklist to help you select notifications and confirm that you entered all the desired notifications in Workbench:

For this event...

and this action...

with this condition...

and this specific property...

Notify through this path: (Slack, PagerDuty, and so on)

Assembler

has a health status change

Expel Alert

is created

alert severity

critical

high

medium

low

testing

tuning

Expel Alert

is closed

alert severity

critical

high

medium

low

testing

tuning

Expel Alert

is closed

reason to close

activity blocked

activity failed

benign

false positive

IT misconfiguration

other

phishing simulation

possible policy violation

PUP/PUA

testing

Incident

is created

incident severity

is critical

is not critical

Incident

is downgraded

incident severity

is critical

is not critical

Incident

is assigned to my org

incident severity

is critical

is not critical

Investigation

is created

Investigation

is closed

reason to close

activity blocked

activity failed

benign

false positive

IT misconfiguration

other

phishing simulation

possible policy violation

PUP/PUA

testing

Investigation

has an alert added

Investigation

is assigned to my org

Investigative action

is assigned to my org

Notify action

is assigned to my org

Remediation action

is assigned to my org

remediation action type

block command and control communications

block known bad hashes

block malicious domains and IPs

block sender address

block sender domain

contain hosts

contain infected removable media

delete compromised instances

delete malicious files

disable and modify AWS access keys

disable user account

mitigate vulnerability

other remediation

reimage compromised hosts

remove and block email forwarding address

remove inbox rules for known compromised accounts

remove malicious email

reset credentials

Remediation action

is automated

remediation action type

block known bad hashes

contain hosts remove

disable user account

malicious email

Security device

has a health status change

Verify action

is assigned to my org

For instructions on configuring organization notifications, see the Organization Notifications article.

Tip

This page was accurate at the time of writing, but changes happen. If you find the instructions are outdated, let us know via your engagement manager or account representative.