Skip to main content

Workflow Template: War-Room Orchestrator HyperAgent

Automates initial Incident Response coordination by opening an Slack Channel for confirmed true positive security cases.

Updated this week

The "War-Room Orchestrator HyperAgent" workflow template is designed to streamline incident response for confirmed true positive security cases. When a case is resolved as "True positive - malicious," this workflow automatically creates a dedicated Slack incident response channel, gathers full case context, and queries for on-call personnel. It posts a structured incident summary with actionable recommendations, ensuring rapid coordination and communication among responders.

Take Me to the Template

Optional Triggers

["It could be triggered from a QuickAction for an accelerated escalation."]

Use Cases

Case Management

Workflow Breakdown

  1. Triggers when a Case transitions to RESOLVED with resolution "True positive - malicious"

  2. HyperAgent fetches full case context (details, observables, attachments, timeline, notes)

  3. Queries the responders table for on-call personnel.

  4. Creates dedicated Slack IR channel (ir-case-[id])

  5. Posts structured Block Kit incident summary with the collected case data and actionable recommendation

Vendors

Utils

Workflow Output

Fully provisioned Slack war room with context, responders added, and summary pinned, within seconds of true positive confirmation.

Tips

Related Articles
Slack Bot
Workflow Template: Create Jira and Asana Tickets from Astrix Alert
Workflow Template: Handle Panther Okta Alerts on User Action Detection
Workflow Template: Notify when a Thinkst Canary Token is triggered
Did this answer your question?