Create a Workflow

๐Ÿš€

Workflows help you systematically block suspicious activity and reduce risk without slowing down trusted users.

To create a workflow:

  1. Select Workflows from the navigation pane and click the + at the top of the page to either +Create or +Import a workflow.

  2. Enter a unique Name, an optional description, and select or input a Default Outcome. The Default Outcome defines what happens when no rules in the Workflow are triggered, ensuring thereโ€™s always a clear outcome applied.

  3. Click Add Rule.

  4. Define your conditions using Filters. Filters (signals) are grouped by Email, IP, Phone, and User Agent categories. If you have created lists to group accounts, they are also available to add to a rule.

  5. Select the API response outcome. This is the string that the Verosint API will respond with if the condition is met.

  6. Select actions (optional). Specify actions that should trigger when the condition is met. Supported actions include: For available variables to customize your emails and messages, see Action Variables.

    1. Send Email: Trigger an email notification to specified recipients or distribution list.
    2. Send Slack Message: Trigger a message to specified Slack channels.
    3. Send Teams Message: Trigger a message to specified Microsoft Teams channels.
    4. Send to Datadog: Send event details as a JSON payload to Datadog.
    5. Send to Splunk: Send event details as a JSON payload to Splunk.
    6. Send to Webhook: Send event details as a JSON payload to a custom webhook.
    7. Add to List: Automatically add an entity (account, session, device, etc.) to a selected List for future monitoring or investigation.
  7. Hit Save. The workflow is ready!

๐Ÿ“˜

Required Integrations for Actions: Slack, Teams, Datadog, Splunk, and Webhook actions only appear if those integrations are already configured in your Account Settings.

Notification Payloads: For Datadog, Splunk, and Webhook, the event payload is identical to what you receive through your configured SIEM Logs.

Message Customization: To personalize your Email, Slack, or Teams messages, see Action Variables.

Add a Rule

Add Rules to your Workflow

To ensure your rules functioned as intended, use the Evaluate tab to test them. Enter an account ID, email, IP address, phone number, and/or user agent and click Evaluate. Check the response to see whether the rule worked as intended.

๐Ÿ“˜

Workflows and Auth0

All properties from the Auth0 event object (Actions Triggers: post-login - Event Object ) are available to reference from Workflows under parameters.<Auth0 property name>. You can set an action to ALLOW and have Auth0 prompt Login Success. You can also set an action to ALLOW_WITH_MFA to prompt Auth0 to require MFA. Set an action to DENY to reject a login attempt.