Use Torq Cases workflow triggers to automate case management. By setting up workflows that trigger on key events throughout a case's lifecycle, you can streamline processes and enhance efficiency. For instance, automatically enrich observables as soon as they're associated with a case, ensuring that critical data is immediately processed and actionable.
Below is a list of the events you can use as workflow triggers. You can add trigger conditions to limit the scenarios in which workflows using these triggers will execute. Each event includes a use case example and an example of the trigger event.
Use the Custom trigger scenario to trigger a workflow when case updates don't fall under the scope of other triggers.
Assigned to a Teammate
Assigned to a Teammate
Use the Assigned to a teammate scenario to trigger a workflow whenever a case is assigned.
Example Use Case: Confirming Case Assignments
Automate confirmation requests for new case assignments.
Trigger Configuration:
Use the Assigned to a teammate trigger with a trigger condition checking if the case was not self-assigned.
Confirmation Request:
Prompt the assignee to confirm they will handle the case.
Timeout Handling:
If there is no confirmation, reassign the case to the team lead to ensure prompt attention.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:36.619305Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-22T08:29:54.091605Z",
"description": "",
"id": 4,
"prettyId": "#4",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-22T08:29:54.091605Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "test case",
"updatedTime": "2023-04-22T08:30:20.119589Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_ASSIGNEE_UPDATED",
"timestamp": "2023-04-22T08:30:36.638093212Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Attachment Added
Attachment Added
Use the Attachment Added scenario to trigger a workflow whenever an attachment is added to a case.
Use Case Example: Notify Case Assignee of New Attachment
Trigger Setup:
Use the Attachment Added trigger. Set relevant trigger conditions.
Case Review:
Retrieve case details to determine if the uploader is the case assignee.
Notification:
If the uploader isn't the assignee, notify the assignee about the new attachment, providing a download link.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"attachments": {
"current": {
"caseId": 3,
"createdAt": "2023-05-07T10:28:33.421020Z",
"fileName": "200-0-4.jpeg",
"id": "ed2d9ce4-b603-4e80-93a2-c0960ca27123",
"mimeType": "image/jpeg",
"relativePath": "0ba55c55-d47e-4f07-9f10-15f47c1ae129/cases/3:200-0-4.jpe",
"size": 24971
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ATTACHMENT_CREATED",
"timestamp": "2023-05-07T10:28:33.440336411Z",
"triggeredBy": {
"kind": "USER",
"user": {
"email": "***@***.***"
}
}
}
Category Changed
Category Changed
Use the Category changed scenario to trigger a workflow when the category of a case is set or updated.
Use Case Example: Automatically Update Custom Fields on Category Change
Trigger Setup:
Use the Category Changed trigger.
Field Review:
Compare existing custom fields of the case with those required for its updated category.
Update Fields:
For each missing custom field, add it to the case.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": null,
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_CATEGORY_UPDATED",
"timestamp": "2023-11-23T08:30:54.797214680Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
Comment Added
Comment Added
Use the Comment added scenario to trigger a workflow whenever a comment is added to a case timeline.
Use Case Example: Notify Assignee on New Comment
Trigger Setup:
Use the Comment added trigger, applying necessary conditions.
Assignee Check:
Retrieve case details to verify if it has an assignee.
Notification:
If the case is assigned, notify the assignee about the new comment.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"comments": {
"current": {
"case_id": 71,
"content": "comment",
"id": "9a1d7276-44cd-4701-****-6c4ac020d440"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "COMMENT_CREATED",
"timestamp": "2023-07-03T11:21:16.739582950Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Custom
Custom
Use the Custom trigger scenario to trigger a workflow upon case updates to which the rest of the triggers don't apply.
Use Case Example: Notify on Automatic Case Description Update
Trigger Configuration:
Use the Custom trigger and add trigger conditions to execute the workflow when a case description is set or updated by a workflow.
Notification Logic:
If the case has an assignee, notify them; if not, alert the relevant Slack channel.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "A user's computer was found infected with a Trojan horse malware variant. The malware is capable of stealing sensitive information and executing unauthorized commands.",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:58.136911Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "",
"category": "Malware",
"created_at": "2023-11-23T08:30:52.608856Z",
"description": "",
"id": 1492,
"pretty_id": "#1492",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-11-23T08:30:52.608856Z",
"value": "28800"
},
"state": {
"id": 1,
"type": 1,
"value": "NEW"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-11-23T08:30:54.740722Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_UPDATED",
"timestamp": "2023-11-23T08:30:58.193885908Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "66786b0c-0166-****-8cd1-1912748bcee1",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
Custom Field Updated
Custom Field Updated
Use the Custom field updated scenario to trigger a workflow whenever a custom field of a case is updated.
Use Case Example: Notify on Custom Field Update
Trigger Setup:
Use the Custom Field Updated workflow trigger.
Case Assignment Check:
Retrieve case details to determine if it's assigned.
Notification:
If assigned, notify the case assignee about the custom field update.
If unassigned, send a notification to the relevant Slack channel based on the analyst tier.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"custom_fields": {
"current": {
"case_id": 75,
"key": "tier",
"schema": {
"type": 2
},
"value": ""
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CUSTOM_FIELD_UPDATED",
"timestamp": "2023-07-04T13:05:42.453672953Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Event Updated
Event Updated
Use the Event updated scenario to trigger a workflow whenever an event is attached to or detached from a case.
If the case was created by a workflow triggered by an integration event, the trigger event will automatically be attached to the case.
Use Case Example: Assign a Task on Event Update
Trigger Setup:
Use the Event updated workflow trigger.
Case Identification:
Extract the case ID from the trigger event.
Task Assignment:
Assign a task to the case for enhanced visibility.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"attachable_events": {
"current": {
"case_id": 916,
"event_type": 1,
"id": "5dde59e0-400e-****-b345-e1eb3c28a4a0",
"name": "Duplicate event",
"pretty_id": "AA-00****",
"timestamp": "2023-09-27T11:08:36.588661Z",
"type_details_json": {},
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "CASE_EVENT_UPDATED",
"timestamp": "2023-09-27T11:08:40.215319425Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "c14f3898-d906-****-83ee-f082f9cfc625",
"id": "7ad1413f-1cec-****-a822-12fa4b376358"
}
}
}
Link Updated
Link Updated
Use the Link updated scenario to trigger a workflow whenever cases are linked, unlinked, or a link is updated.
Use Case Example: Notify on New Case Link
Trigger Setup:
Utilize the Link Updated trigger with a trigger condition for the workflow to execute when a link is created.
Case Retrieval:
Fetch details for cases involved in the new link.
Notification Logic:
Notify assignees of cases linked to the newly linked case.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"links": {
"current": {
"actor": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"created_at": "2023-07-03T11:45:32.181410Z",
"description": "I think these cases are related",
"first_case_id": 71,
"second_case_id": 64,
"updated_at": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "LINK_UPDATED",
"timestamp": "2023-07-03T11:45:32.199733160Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
New Case Created
New Case Created
Use the New case created scenario to trigger a workflow when any case is created.
Example Use Case: Automated Priority Handling for VIP Incidents
When a case is created, you can run additional checks on its properties. For example, if the case was created due to a user's suspicious activity, you may want to check whether the user is a power user with elevated privileges (VIP). If so, the incident should be prioritized, and you may wish to notify additional stakeholders.
Trigger Setup:
Use the New case created trigger with the trigger condition that the case category is Identity & Access Management.
VIP Verification:
Determine if the involved user is a VIP by checking their group memberships via your identity management service, such as Okta.
Action Steps:
If the user is a VIP, increase the case severity to critical, document the findings in a comment, and update the case status to In Progress.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "Demo",
"updatedTime": null
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "CASE_CREATED",
"timestamp": "2023-04-21T17:30:13.191079973Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Note Updated
Note Updated
Use the Note updated scenario to trigger a workflow each time a note is added, updated, or deleted in a case.
Example Use Case: Notification on Note Updates
Automate notifications to the case assignee when a note is updated.
Trigger Setup:
Use the Note updated trigger and customize with necessary trigger conditions.
Retrieve Case Information:
Use the Get case details step to fetch case data.
Notification Logic:
Verify if the case assignee made the update. If someone else did, send a Slack message to inform the assignee about the change.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"notes": {
"current": {
"case_id": 1970,
"content": "<p>The note content.</p>",
"created_at": "2024-01-10T14:54:26.297023Z",
"created_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
},
"id": "8d509422-ae66-****-bd17-e04dfad43a65",
"title": "New note",
"updated_at": null,
"updated_by": null
},
"previous": null
},
"operation": "CREATE",
"scenario_id": "NOTE_UPDATED",
"timestamp": "2024-01-10T14:54:26.326555964Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Observable Added
Observable Added
Use the Observable added scenario to trigger a workflow whenever an observable is associated with a case.
Example Use Case: Enriching Observables
Trigger Setup:
Use the Observable added trigger and add a trigger condition for the workflow to execute only if the observable is an IP addresses.
Enrichment Process:
Simultaneously enrich the IP with several services.
Scoring and Response:
Convert the verdicts into a unified score to determine if the IP is malicious and potentially escalate the case severity.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"associatedObservable": {
"current": {
"caseId": 3,
"isPinned": false,
"observable": {
"description": "",
"firstObserved": "2023-04-21T18:20:06.643786Z",
"id": 5,
"lastObserved": "2023-04-21T18:20:06.643786Z",
"reputation": 2,
"value": {
"ip": "9.9.9.9"
}
},
"witnessedAt": "2023-04-21T18:20:06.643786Z"
},
"previous": null
},
"operation": "CREATE",
"scenarioId": "ASSOCIATED_OBSERVABLE_CREATED",
"timestamp": "2023-04-21T18:20:06.672584658Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Observable Created
Observable Created
Use the Observable created scenario to trigger a workflow whenever an observable is added to the workspace.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"operation": "CREATE",
"timestamp": "2024-02-21T12:41:53.128189041Z",
"observables": {
"current": {
"id": 31,
"workspace_id": "",
"first_observed_at": "2024-02-21T12:40:57.153162Z",
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "10.10.10.10"
},
"sub_type": {
"id": 3,
"name": "IP_ADDRESS_IPV4"
},
"reputation": {
"id": 0,
"name": "UNKNOWN"
},
"description": "***",
"last_observed_at": "2024-02-21T12:41:53.119881Z"
},
"previous": null
},
"scenario_id": "OBSERVABLE_CREATED",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@**.**"
}
}
}
Observable Updated
Observable Updated
Use the Observable updated scenario to trigger a workflow for every update of an observable, regardless of whether it's associated with any cases.
Example Use Case: Notifying Case Assignees of Unsafe Observables
Trigger Configuration:
Use the Observable updated trigger and a trigger condition for the workflow to execute only when the observable reputation is updated to indicate that it's not or may not be safe.
Case Retrieval:
Fetch all cases linked to the unsafe observable.
Notification Process:
For each case, update the timeline with a comment and notify the assignee.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"observables": {
"current": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 5,
"name": "MAY_NOT_BE_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
},
"previous": {
"description": "",
"first_observed_at": "2023-07-03T09:54:25.904609Z",
"id": 10,
"last_observed_at": "2023-07-03T09:58:07.170794Z",
"reputation": {
"id": 1,
"name": "VERY_SAFE"
},
"type": {
"id": 2,
"name": "IP_ADDRESS"
},
"value": {
"ip": "13.13.13.13"
},
"workspace_id": ""
}
},
"operation": "UPDATE",
"scenario_id": "OBSERVABLE_UPDATED",
"timestamp": "2023-07-03T10:18:11.509992672Z",
"triggered_by": {
"kind": "USER",
"user": {
"email": "***@***.io"
}
}
}
Severity Changed
Severity Changed
Use the Severity changed scenario to trigger a workflow whenever there's a modification to the case severity.
Example Use Case: Notifying On-Call Engineers
Trigger Setup:
Use the Severity changed trigger and add a trigger condition so that the workflow executes only when the case severity is updated to critical.
Engineer Notification:
Cycle through the on-call engineers, requesting immediate case review.
Case Assignment:
Assign the case to the first engineer confirming availability.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 5,
"value": "SEVERITY_ID_CRITICAL"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:50.643336Z"
},
"previous": {
"assignee": "",
"category": "",
"createdTime": "2023-04-16T07:43:02.097970Z",
"description": "",
"id": 2,
"prettyId": "#2",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-16T07:43:02.097970Z"
},
"state": {
"id": 1,
"value": "STATE_ID_NEW"
},
"title": "test case 2",
"updatedTime": "2023-04-18T09:06:45.912276Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_SEVERITY_UPDATED",
"timestamp": "2023-04-18T09:06:50.695505597Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
State Changed
State Changed
Use the State changed scenario to trigger a workflow for every case state transition.
Use Case Example: Assigning Cases to Team Members
Trigger Setup:
Use the State changed trigger with a trigger condition for the workflow to execute when a case moves from New to In progress.
Assignment and Notification:
Randomly assign the case to a team member and alert them via Slack.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 3,
"value": "STATE_ID_ON_HOLD"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:31:28.513722Z"
},
"previous": {
"assignee": "***.***@***.***",
"category": "Identity & Access Management",
"createdTime": "2023-04-21T17:30:11.889956Z",
"description": "case description",
"id": 3,
"prettyId": "#3",
"reporter": {
"user": {
"email": "***.***@***.***"
}
},
"severity": {
"id": 2,
"value": "SEVERITY_ID_LOW"
},
"sla": {
"due": "86400s",
"endedTime": null,
"startedTime": "2023-04-21T17:30:11.889956Z"
},
"state": {
"id": 2,
"value": "STATE_ID_IN_PROGRESS"
},
"title": "Demo",
"updatedTime": "2023-04-21T17:30:25.398745Z"
}
},
"operation": "UPDATE",
"scenarioId": "CASE_STATE_UPDATED",
"timestamp": "2023-04-21T17:31:28.543872751Z",
"triggeredBy": {
"user": {
"email": "***.***@***.***"
}
}
}
Tags Updated
Tags Updated
Use the Tags updated scenario to trigger a workflow whenever the tags of a case are updated.
Use Case Example: Link Cases by Updated Tag
Trigger Setup:
Use the Tags Updated workflow trigger.
Tag Processing:
Loop through each added or updated tag.
Case Retrieval:
Use Query Cases step to find cases associated with the tag.
Link Creation:
Link all retrieved cases to the main case using the tag as the link description.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"cases": {
"current": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [
"Malicious observable"
],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:42.393278Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
},
"previous": {
"assignee": "***@***.io",
"category": "Malware",
"created_at": "2023-07-04T07:30:34.071311Z",
"description": "Case description.",
"id": 79,
"pretty_id": "#79",
"reporter": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
},
"resolution_summary": {
"details": "",
"reason": ""
},
"runbook_id": "",
"severity": {
"id": 5,
"value": "CRITICAL"
},
"sla": {
"end_time": null,
"start_time": "2023-07-04T07:30:34.071311Z",
"value": "28800"
},
"state": {
"id": 2,
"type": 2,
"value": "IN_PROGRESS"
},
"tags": [],
"tasks": {
"pending": 0
},
"title": "Malware Infection - Trojan Horse Detected",
"updated_at": "2023-07-04T07:30:41.536989Z",
"workspace_id": "0ba55c55-d47e-****-9f10-15f47c1ae129"
}
},
"operation": "UPDATE",
"scenario_id": "CASE_TAGS_UPDATED",
"timestamp": "2023-07-04T07:30:42.424070622Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "3c108583-2c02-****-9610-d488bac571dd",
"id": "1da523e5-0b8d-****-adb4-868f40677b50"
}
}
}
User Mentioned
User Mentioned
Use the User mentioned scenario to trigger a workflow whenever one or more users are mentioned in a case timeline comment. The user or users can be mentioned in a comment that's added manually by typing @
and selecting a user from the list or automatically by using the Add comment to case step. The syntax to mention a user in an automatic comment is: <m:user@company.com>
. The user email can also be specified from the workflow context.
Use Case Example: Notify Mentioned Users
Trigger Setup:
Use the User mentioned workflow trigger.
Retrieve Case Details:
Fetch the case details, such as the case title for inclusion in the Slack message.
Notification Loop:
Loop through the mentioned users, sending each a Slack message that includes the relevant information.
Trigger event example
This is an example of the trigger event this scenario will generate:
{
"operation": "CREATE",
"scenario_id": "USER_MENTIONED",
"timestamp": "2023-08-03T10:17:55.025121927Z",
"triggered_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-3d8c-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"user_mentions": {
"current": {
"context": {
"id": 1,
"value": "CASE_TIMELINE_COMMENT"
},
"entity_id": 363,
"entity_type": {
"id": 1,
"value": "CASE"
},
"full_text": "Automatic comment <m:user@company.io> <m:user2@company.io>",
"mentioned_by": {
"kind": "WORKFLOW",
"workflow": {
"execution_id": "eae79217-****-****-b0ca-fe75fad23b43",
"id": "87a11d93-79ff-****-be2a-5f5dfb31f118"
}
},
"mentioned_users": [
"user@company.io",
"user2@company.io"
],
"timestamp": "2023-08-03T10:17:55.024959065Z"
}
}
}