Create a Workflow
Workflows help you systematically block suspicious activity and reduce risk without slowing down trusted users.
To create a workflow:
-
Select Workflows from the navigation pane and click the + at the top of the page to either +Create or +Import a workflow.
-
Enter a unique Name, an optional description, and select or input a Default Outcome. The Default Outcome defines what happens when no rules in the Workflow are triggered, ensuring thereโs always a clear outcome applied.
-
Click Add Rule.
-
Define your conditions using Filters. Filters (signals) are grouped by Email, IP, Phone, and User Agent categories. If you have created lists to group accounts, they are also available to add to a rule.
-
Select the API response outcome. This is the string that the Verosint API will respond with if the condition is met.
-
Select actions (optional). Specify actions that should trigger when the condition is met. Supported actions include: For available variables to customize your emails and messages, see Action Variables.
- Send Email: Trigger an email notification to specified recipients or distribution list.
- Send Slack Message: Trigger a message to specified Slack channels.
- Send Teams Message: Trigger a message to specified Microsoft Teams channels.
- Send to Datadog: Send event details as a JSON payload to Datadog.
- Send to Splunk: Send event details as a JSON payload to Splunk.
- Send to Webhook: Send event details as a JSON payload to a custom webhook.
- Add to List: Automatically add an entity (account, session, device, etc.) to a selected List for future monitoring or investigation.
-
Hit Save. The workflow is ready!
Required Integrations for Actions: Slack, Teams, Datadog, Splunk, and Webhook actions only appear if those integrations are already configured in your Account Settings.
Notification Payloads: For Datadog, Splunk, and Webhook, the event payload is identical to what you receive through your configured SIEM Logs.
Message Customization: To personalize your Email, Slack, or Teams messages, see Action Variables.

Add Rules to your Workflow
To ensure your rules functioned as intended, use the Evaluate tab to test them. Enter an account ID, email, IP address, phone number, and/or user agent and click Evaluate. Check the response to see whether the rule worked as intended.

Workflows and Auth0All properties from the Auth0 event object (
Actions Triggers: post-login - Event Object
) are available to reference from Workflows underparameters.<Auth0 property name>
. You can set an action toALLOW
and have Auth0 prompt Login Success. You can also set an action toALLOW_WITH_MFA
to prompt Auth0 to require MFA. Set an action toDENY
to reject a login attempt.
Updated 2 days ago