This table contains all the possible event and action combinations for organization notifications. If the condition fields are blank, there is no modifier for that notification type. The Notify through this path column is blank so that you can fill in the notification channel(s) of your choice.
You can print this page and use it as a checklist to help you select notifications and confirm that you entered all the desired notifications in Workbench:
For this event... |
and this action... |
with this condition... |
and this specific property... |
Notify through this path: (Slack, PagerDuty, and so on) |
---|---|---|---|---|
Assembler |
has a health status change |
|||
Expel Alert |
is created |
alert severity |
critical high medium low testing tuning |
|
Expel Alert |
is closed |
alert severity |
critical high medium low testing tuning |
|
Expel Alert |
is closed |
reason to close |
activity blocked activity failed benign false positive IT misconfiguration other phishing simulation possible policy violation PUP/PUA testing |
|
Incident |
is created |
incident severity |
is critical is not critical |
|
Incident |
is downgraded |
incident severity |
is critical is not critical |
|
Incident |
is assigned to my org |
incident severity |
is critical is not critical |
|
Investigation |
is created |
|||
Investigation |
is closed |
reason to close |
activity blocked activity failed benign false positive IT misconfiguration other phishing simulation possible policy violation PUP/PUA testing |
|
Investigation |
has an alert added |
|||
Investigation |
is assigned to my org |
|||
Investigative action |
is assigned to my org |
|||
Notify action |
is assigned to my org |
|||
Remediation action |
is assigned to my org |
remediation action type |
block command and control communications block known bad hashes block malicious domains and IPs block sender address block sender domain contain hosts contain infected removable media delete compromised instances delete malicious files disable and modify AWS access keys disable user account mitigate vulnerability other remediation reimage compromised hosts remove and block email forwarding address remove inbox rules for known compromised accounts remove malicious email reset credentials |
|
Remediation action |
is automated |
remediation action type |
block known bad hashes contain hosts remove disable user account malicious email |
|
Security device |
has a health status change |
|||
Verify action |
is assigned to my org |
For instructions on configuring organization notifications, see the Organization Notifications article.