Skip to main content

Overview

This recipe shows how to automatically triage dark web alert tickets and then notify the end user and close/update the ticket with the correct status. It uses two simple workflows working in sequence.
  • Workflow 1: Triage (Triggered)
    • Sets the correct Company and Contact
    • Optionally confirms the ticket is indeed a dark web alert (if needed)
    • Applies updates to the PSA via Update Ticket Fields
  • Workflow 2: Build Message and Close (Triggered, runs after Triage)
    • Generates a customer-facing message using Build Message
    • Sends the message to the ticket contact (Notify Ticket's Contact)
    • Updates ticket status and any additional fields via Update Ticket Fields
If your dark web alerts always enter a dedicated queue/board, you can rely on the workflow trigger or filtering by that queue and skip explicit “is this dark web?” checks. If not, add a brief detection step in the triage instructions to confirm it’s a dark web alert before proceeding.

Workflow 1: Triage Company and Contact

Basic Configuration

1

Create the workflow

  • Name: “Dark Web Alert - Triage”
  • Type: Triggered
  • Trigger Conditions:
    • Ticket created
2

Add Ticket Triage action

Action: Ticket TriageFocus fields: Company, Contact (and optionally Type/Subtype if you want)This action will identify the correct Company and Contact from the alert details.
3

Add Update Ticket Fields action

Action: Update Ticket FieldsAdd this action in the Write to PSA section so Company and Contact are set in your PSA. This action writes changes into your PSA.
When first enabling, you can start with an Add Ticket Note action to log what would have been applied, then switch to Update Ticket Fields once confident.

Workflow 2: Build Message and Close/Update Status

Basic Configuration

1

Create the workflow

  • Name: “Dark Web Alert - Notify and Close”
  • Type: Triggered
  • Trigger Type: Add “Workflow Finished” trigger and select the previous Triage workflow
2

Add Build Message action

Action: Build Message
  • Message Type: Customer Facing
  • Instructions (plain English; describe the style and content, not a fixed template):
Create a clear, concise message to the end user acknowledging the dark web alert. Include:
- A brief explanation of what the alert means in non-technical terms
- Any immediate recommended steps (e.g., reset password, enable MFA)
- Reassurance on next steps and that we are monitoring
- Keep professional, calm, and helpful tone
This generates a customer-facing communication that will be sent to the ticket contact.
3

Add Update Ticket Fields action

Action: Update Ticket Fields
  • Add Update Ticket Fields in Write to PSA section
  • Mark the checkbox “Update Additional Fields”
  • A dropdown for the New Status will appear
  • Select the new Status (e.g., “Customer Notified” or “Closed - Notified”) to move the ticket to
4

Add Notify Ticket's Contact action

Action: Notify Ticket’s Contact
  • Uses the message generated by Build Message
  • Selects the ticket contact as the recipient
This sends the customer-facing message to the end user.

Best practices

  • Start with note-only runs to validate messaging and status changes
  • Keep triage instructions short and focused on Company/Contact identification
  • Use company-level custom instructions if specific clients need tailored messaging or routing