Setting Up Actions
Configure automated responses that trigger when employees cross score thresholds or specific security events occur. Actions ensure threats are addressed promptly without manual intervention.
Action Configuration
Navigate to Admin → Actions to manage automated actions. The actions page shows all configured actions with their trigger conditions, status, and execution count.
Creating an Action
- Click Create Action
- Choose the trigger type:
- Score threshold: Triggers when score enters a band
- Event-based: Triggers on specific event types
- Scheduled: Runs on a schedule (e.g., weekly training reminders)
- Configure the action type and parameters
- Set approval requirements (auto-execute or require approval)
- Activate the action
Available Action Types
| Action | Category | Requires Approval |
|---|---|---|
| Send email notification | Notification | No |
| Send Slack/Teams message | Notification | No |
| Create SOC ticket | Notification | No |
| Assign training module | Training | No |
| Schedule coaching session | Training | No |
| Require step-up MFA | Access Control | No (default) |
| Revoke sessions | Access Control | Yes (default) |
| Restrict access | Access Control | Yes (default) |
| Lock account | Access Control | Yes (default) |
| Send webhook | Integration | No |
Approval Defaults
Actions that restrict employee access require security team approval by default. While this can be changed to auto-execute, we strongly recommend keeping approval enabled to prevent disruption from false positives.
Approval Workflow
When an action requires approval:
- The action is queued in Admin → Actions → Pending Approvals
- Designated approvers receive a notification
- An approver reviews the context (employee, score, triggering event)
- The action is approved or rejected with an optional comment
Action History
View all executed actions in Admin → Actions → History:
- Timestamp and trigger details
- Target employee
- Action taken and result (success/failure)
- Approval status and approver (if applicable)