Automate Dark Web Alert Tickets
This recipe shows how to automatically triage dark web alert tickets and then notify the end user and close/update the ticket with the correct status. It uses two simple workflows working in sequence.
Overview
-
Workflow 1: Triage (Triggered)
- Sets the correct Company and Contact
- Optionally confirms the ticket is indeed a dark web alert (if needed)
- Applies updates to the PSA via
Update Ticket Fields
-
Workflow 2: Build Message and Close (Triggered, runs after Triage)
- Generates a customer-facing message using
Build Message - Sends the message to the ticket contact (
Notify Ticket's Contact) - Updates ticket status and any additional fields via
Update Ticket Fields
- Generates a customer-facing message using
If your dark web alerts always enter a dedicated queue/board, you can rely on the workflow trigger or filtering by that queue and skip explicit “is this dark web?” checks. If not, add a brief detection step in the triage instructions to confirm it’s a dark web alert before proceeding.
Prerequisites
- A queue/board or clear filter that captures dark web alerts, OR clear keywords to detect them
- Access to
Triggered Workflows - Familiarity with these actions:
Workflow 1: Triage Company and Contact
Basic Configuration
- Type: Triggered
- Trigger: When ticket is created (or when ticket enters your “Dark Web Alerts” board/queue)
- Actions:
Ticket Triage– Identify Company and Contact (and optionally confirm “dark web alert” classification)Update Ticket Fields– Apply Company and Contact to the ticket in your PSA
Detailed Setup
Step 1: Create the Workflow
- Name: “Dark Web Alert - Triage”
- Type: Triggered
- Trigger Conditions:
- If using dedicated queue:
Board.Name = "Dark Web Alerts"(or your equivalent) - If not using a dedicated queue: trigger on creation and rely on triage instructions for detection
- If using dedicated queue:
Step 2: Add Actions
Action 1: Ticket Triage
- Focus fields: Company, Contact (and optionally Type/Subtype if you want)
Refer to the full action doc: Ticket Triage
Action 2: Update Ticket Fields
- Add Update Ticket Fields in Write to PSA section so Company and Contact are set in your PSA
- This action writes changes into your PSA
See: Update Ticket Fields
When first enabling, you can start with an Add Ticket Note action to log what would have been applied, then switch to Update Ticket Fields once confident.
Workflow 2: Build Message and Close/Update Status
Basic Configuration
- Type: Triggered
- Trigger: After the triage workflow finishes
- Actions:
Build Message– Create customer-facing communicationNotify Ticket's Contact– Send the messageUpdate Ticket Fields– Change Status and any additional fields
Detailed Setup
Step 1: Create the Workflow
- Name: “Dark Web Alert - Notify and Close”
- Type: Triggered
- Trigger Type: Add "Workflow Finished" trigger and select the previous Triage workflow
Step 2: Add Actions
Action 1: Build Message
- Message Type: Customer Facing
- Instructions (plain English; describe the style and content, not a fixed template):
Create a clear, concise message to the end user acknowledging the dark web alert. Include:
- A brief explanation of what the alert means in non-technical terms
- Any immediate recommended steps (e.g., reset password, enable MFA)
- Reassurance on next steps and that we are monitoring
- Keep professional, calm, and helpful tone
See: Build Message
Action 2: Update Ticket Fields
- Add Update Ticket Fields in Write to PSA section
- Mark the checkbox "Update Additional Fields"
- A dropdown for the New Status will appear
- Select the new
Status(e.g., “Customer Notified” or “Closed - Notified”) to move the ticket to.
See: Update Ticket Fields
Action 3: Notify Ticket's Contact
- Uses the message generated by
Build Message - Selects the ticket contact as the recipient
Best Practices
- Start with note-only runs to validate messaging and status changes
- Keep triage instructions short and focused on Company/Contact identification
- Use company-level custom instructions if specific clients need tailored messaging or routing