Skip to main content
All CollectionsBuild AutomationsCases
Cases Triggers: Initiate Workflows with Torq Case Management Events
Cases Triggers: Initiate Workflows with Torq Case Management Events

Get to know the events within the case lifecycle that can serve as triggers for Torq workflows.

Updated over 2 months ago

Use Torq Cases workflow triggers to automate case management. By setting up workflows that trigger on key events throughout a case's lifecycle, you can streamline processes and enhance efficiency. For instance, automatically enrich observables as soon as they're associated with a case, ensuring that critical data is immediately processed and actionable.

Below is a list of the events you can use as workflow triggers. You can add trigger conditions to limit the scenarios in which workflows using these triggers will execute. Each event includes a use case example and an example of the trigger event.

Use the Custom trigger scenario to trigger a workflow when case updates don't fall under the scope of other triggers.

Create a workflow with a Torq Cases trigger

Assigned to a Teammate

Use the Assigned to a teammate scenario to trigger a workflow whenever a case is assigned.

Example Use Case: Confirming Case Assignments

Automate confirmation requests for new case assignments.

  1. Trigger Configuration:

    • Use the Assigned to a teammate trigger with a trigger condition checking if the case was not self-assigned.

  2. Confirmation Request:

    • Prompt the assignee to confirm they will handle the case.

  3. Timeout Handling:

    • If there is no confirmation, reassign the case to the team lead to ensure prompt attention.

case assigned trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:36.619305Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:20.119589Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_ASSIGNEE_UPDATED",
"timestamp": "2023-04-22T08:30:36.638093212Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}

Attachment Added

Use the Attachment Added scenario to trigger a workflow whenever an attachment is added to a case.

Use Case Example: Notify Case Assignee of New Attachment

  1. Trigger Setup:

    • Use the Attachment Added trigger. Set relevant trigger conditions.

  2. Case Review:

    • Retrieve case details to determine if the uploader is the case assignee.

  3. Notification:

    • If the uploader isn't the assignee, notify the assignee about the new attachment, providing a download link.

Attachment added trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"attachments": {
"current": {
"caseId": 3,
"createdAt": "2023-05-07T10:28:33.421020Z",
"fileName": "200-0-4.jpeg",
"id": "ed2d9ce4-b603-4e80-93a2-c0960ca27123",
"mimeType": "image/jpeg",
"relativePath": "0ba55c55-d47e-4f07-9f10-15f47c1ae129/cases/3:200-0-4.jpe",
"size": 24971
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ATTACHMENT_CREATED",
"timestamp": "2023-05-07T10:28:33.440336411Z",
"triggeredBy": {
"kind": "USER",
"user": {
"email": "***@***.***"
}
}
}

Category Changed

Use the Category changed scenario to trigger a workflow when the category of a case is set or updated.

Use Case Example: Automatically Update Custom Fields on Category Change

  1. Trigger Setup:

    • Use the Category Changed trigger.

  2. Field Review:

    • Compare existing custom fields of the case with those required for its updated category.

  3. Update Fields:

    • For each missing custom field, add it to the case.

Category changed trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": null,
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_CATEGORY_UPDATED",
"timestamp": "2023-11-23T08:30:54.797214680Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}

Comment Added

Use the Comment added scenario to trigger a workflow whenever a comment is added to a case timeline.

Use Case Example: Notify Assignee on New Comment

  1. Trigger Setup:

    • Use the Comment added trigger, applying necessary conditions.

  2. Assignee Check:

    • Retrieve case details to verify if it has an assignee.

  3. Notification:

    • If the case is assigned, notify the assignee about the new comment.

Comment added trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"comments": {
"current": {
"case_id": 71,
"content": "comment",
"id": "9a1d7276-44cd-4701-****-6c4ac020d440"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "COMMENT_CREATED",
"timestamp": "2023-07-03T11:21:16.739582950Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}

Custom

Use the Custom trigger scenario to trigger a workflow upon case updates to which the rest of the triggers don't apply.

Use Case Example: Notify on Automatic Case Description Update

  1. Trigger Configuration:

    • Use the Custom trigger and add trigger conditions to execute the workflow when a case description is set or updated by a workflow.

  2. Notification Logic:

    • If the case has an assignee, notify them; if not, alert the relevant Slack channel.

Custom trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "A user's computer was found infected with a Trojan horse malware variant. The malware is capable of stealing sensitive information and executing unauthorized commands.",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:58.136911Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_UPDATED",
"timestamp": "2023-11-23T08:30:58.193885908Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}

Custom Field Updated

Use the Custom field updated scenario to trigger a workflow whenever a custom field of a case is updated.

Use Case Example: Notify on Custom Field Update

  1. Trigger Setup:

    • Use the Custom Field Updated workflow trigger.

  2. Case Assignment Check:

    • Retrieve case details to determine if it's assigned.

  3. Notification:

    • If assigned, notify the case assignee about the custom field update.

    • If unassigned, send a notification to the relevant Slack channel based on the analyst tier.

Custom field updated trigeer use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"custom_fields": {
"current": {
"case_id": 75,
"key": "tier",
"schema": {
"type": 2
},
"value": ""
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CUSTOM_FIELD_UPDATED",
"timestamp": "2023-07-04T13:05:42.453672953Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}

Event Updated

Use the Event updated scenario to trigger a workflow whenever an event is attached to or detached from a case.

If the case was created by a workflow triggered by an integration event, the trigger event will automatically be attached to the case.

Use Case Example: Assign a Task on Event Update

  1. Trigger Setup:

    • Use the Event updated workflow trigger.

  2. Case Identification:

    • Extract the case ID from the trigger event.

  3. Task Assignment:

    • Assign a task to the case for enhanced visibility.

Event updated trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"attachable_events": {
"current": {
"case_id": 916,
"event_type": 1,
"id": "5dde59e0-400e-****-b345-e1eb3c28a4a0",
"name": "Duplicate event",
"pretty_id": "AA-00****",
"timestamp": "2023-09-27T11:08:36.588661Z",
"type_details_json": {},
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CASE_EVENT_UPDATED",
"timestamp": "2023-09-27T11:08:40.215319425Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "c14f3898-d906-****-83ee-f082f9cfc625",
"id": "7ad1413f-1cec-****-a822-12fa4b376358"
}
}
}

Link Updated

Use the Link updated scenario to trigger a workflow whenever cases are linked, unlinked, or a link is updated.

Use Case Example: Notify on New Case Link

  1. Trigger Setup:

    • Utilize the Link Updated trigger with a trigger condition for the workflow to execute when a link is created.

  2. Case Retrieval:

    • Fetch details for cases involved in the new link.

  3. Notification Logic:

    • Notify assignees of cases linked to the newly linked case.

Link updated trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"links": {
"current": {
"actor": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"created_at": "2023-07-03T11:45:32.181410Z",
"description": "I think these cases are related",
"first_case_id": 71,
"second_case_id": 64,
"updated_at": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "LINK_UPDATED",
"timestamp": "2023-07-03T11:45:32.199733160Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}

New Case Created

Use the New case created scenario to trigger a workflow when any case is created.

Example Use Case: Automated Priority Handling for VIP Incidents

When a case is created, you can run additional checks on its properties. For example, if the case was created due to a user's suspicious activity, you may want to check whether the user is a power user with elevated privileges (VIP). If so, the incident should be prioritized, and you may wish to notify additional stakeholders.

  1. Trigger Setup:

    • Use the New case created trigger with the trigger condition that the case category is Identity & Access Management.

  2. VIP Verification:

    • Determine if the involved user is a VIP by checking their group memberships via your identity management service, such as Okta.

  3. Action Steps:

    • If the user is a VIP, increase the case severity to critical, document the findings in a comment, and update the case status to In Progress.

case created trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "Demo",
"updatedTime": null
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "CASE_CREATED",
"timestamp": "2023-04-21T17:30:13.191079973Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}

Note Updated

Use the Note updated scenario to trigger a workflow each time a note is added, updated, or deleted in a case.

Example Use Case: Notification on Note Updates

Automate notifications to the case assignee when a note is updated.

  1. Trigger Setup:

    • Use the Note updated trigger and customize with necessary trigger conditions.

  2. Retrieve Case Information:

    • Use the Get case details step to fetch case data.

  3. Notification Logic:

    • Verify if the case assignee made the update. If someone else did, send a Slack message to inform the assignee about the change.

Note updated trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"notes": {
"current": {
"case_id": 1970,
"content": "<p>The note content.</p>",
"created_at": "2024-01-10T14:54:26.297023Z",
"created_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"id": "8d509422-ae66-****-bd17-e04dfad43a65",
"title": "New note",
"updated_at": null,
"updated_by": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "NOTE_UPDATED",
"timestamp": "2024-01-10T14:54:26.326555964Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}

Observable Added

Use the Observable added scenario to trigger a workflow whenever an observable is associated with a case.

Example Use Case: Enriching Observables

  1. Trigger Setup:

    • Use the Observable added trigger and add a trigger condition for the workflow to execute only if the observable is an IP addresses.

  2. Enrichment Process:

    • Simultaneously enrich the IP with several services.

  3. Scoring and Response:

    • Convert the verdicts into a unified score to determine if the IP is malicious and potentially escalate the case severity.

Added an Observable trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"associatedObservable": {
"current": {
"caseId": 3,
"isPinned": false,
"observable": {
"description": "",
"firstObserved": "2023-04-21T18:20:06.643786Z",
"id": 5,
"lastObserved": "2023-04-21T18:20:06.643786Z",
"reputation": 2,
"value": {
"ip": "9.9.9.9"
}
},
"witnessedAt": "2023-04-21T18:20:06.643786Z"
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ASSOCIATED_OBSERVABLE_CREATED",
"timestamp": "2023-04-21T18:20:06.672584658Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}

Observable Created

Use the Observable created scenario to trigger a workflow whenever an observable is added to the workspace.

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"operation": "CREATE",
"timestamp": "2024-02-21T12:41:53.128189041Z",
"observables": {
"current": {
"id": 31,
"workspace_id": "",
"first_observed_at": "2024-02-21T12:40:57.153162Z",
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "10.10.10.10"
},
"sub_type": {
"id": 3,
"name": "IP_ADDRESS_IPV4"
},
"reputation": {
"id": 0,
"name": "UNKNOWN"
},
"description": "***",
"last_observed_at": "2024-02-21T12:41:53.119881Z"
},
"previous": null
},
"scenario_id": "OBSERVABLE_CREATED",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@**.**"
}
}
}

Observable Updated

Use the Observable updated scenario to trigger a workflow for every update of an observable, regardless of whether it's associated with any cases.

Example Use Case: Notifying Case Assignees of Unsafe Observables

  1. Trigger Configuration:

    • Use the Observable updated trigger and a trigger condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.

  2. Case Retrieval:

    • Fetch all cases linked to the unsafe observable.

  3. Notification Process:

    • For each case, update the timeline with a comment and notify the assignee.

Observable updated trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"observables": {
"current": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 5,
"name": "MAY_NOT_BE_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
},
"previous": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 1,
"name": "VERY_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
}
},
"operation": "UPDATE",
"scenario_id": "OBSERVABLE_UPDATED",
"timestamp": "2023-07-03T10:18:11.509992672Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}

Severity Changed

Use the Severity changed scenario to trigger a workflow whenever there's a modification to the case severity.

Example Use Case: Notifying On-Call Engineers

  1. Trigger Setup:

    • Use the Severity changed trigger and add a trigger condition so that the workflow executes only when the case severity is updated to critical.

  2. Engineer Notification:

    • Cycle through the on-call engineers, requesting immediate case review.

  3. Case Assignment:

    • Assign the case to the first engineer confirming availability.

case severity changed trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 5,
"value": "SEVERITY_ID_CRITICAL"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:50.643336Z"
},
"previous": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:45.912276Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_SEVERITY_UPDATED",
"timestamp": "2023-04-18T09:06:50.695505597Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}

State Changed

Use the State changed scenario to trigger a workflow for every case state transition.

Use Case Example: Assigning Cases to Team Members

  1. Trigger Setup:

    • Use the State changed trigger with a trigger condition for the workflow to execute when a case moves from New to In progress.

  2. Assignment and Notification:

    • Randomly assign the case to a team member and alert them via Slack.

case state changed trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 3,
"value": "STATE_ID_ON_HOLD"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:31:28.513722Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:30:25.398745Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_STATE_UPDATED",
"timestamp": "2023-04-21T17:31:28.543872751Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}

Tags Updated

Use the Tags updated scenario to trigger a workflow whenever the tags of a case are updated.

Use Case Example: Link Cases by Updated Tag

  1. Trigger Setup:

    • Use the Tags Updated workflow trigger.

  2. Tag Processing:

    • Loop through each added or updated tag.

  3. Case Retrieval:

    • Use Query Cases step to find cases associated with the tag.

  4. Link Creation:

    • Link all retrieved cases to the main case using the tag as the link description.

Tags updated trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"cases": {
"current": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [
"Malicious observable"
],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:42.393278Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description.",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:41.536989Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_TAGS_UPDATED",
"timestamp": "2023-07-04T07:30:42.424070622Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}

User Mentioned

Use the User mentioned scenario to trigger a workflow whenever one or more users are mentioned in a case timeline comment. The user or users can be mentioned in a comment that's added manually by typing @ and selecting a user from the list or automatically by using the Add comment to case step. The syntax to mention a user in an automatic comment is: <m:user@company.com>. The user email can also be specified from the workflow context.

Use Case Example: Notify Mentioned Users

  1. Trigger Setup:

    • Use the User mentioned workflow trigger.

  2. Retrieve Case Details:

    • Fetch the case details, such as the case title for inclusion in the Slack message.

  3. Notification Loop:

    • Loop through the mentioned users, sending each a Slack message that includes the relevant information.

User mentioned trigger use case

Trigger event example

This is an example of the trigger event this scenario will generate:

{
"operation": "CREATE",
"scenario_id": "USER_MENTIONED",
"timestamp": "2023-08-03T10:17:55.025121927Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-3d8c-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"user_mentions": {
"current": {
"context": {
"id": 1,
"value": "CASE_TIMELINE_COMMENT"
},
"entity_id": 363,
"entity_type": {
"id": 1,
"value": "CASE"
},
"full_text": "Automatic comment <m:user@company.io> <m:user2@company.io>",
"mentioned_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-****-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"mentioned_users": [
"user@company.io",
"user2@company.io"
],
"timestamp": "2023-08-03T10:17:55.024959065Z"
}
}
}

Did this answer your question?