Automated Actions

TIDALBAY can automatically respond to security risks based on employee scores and events. Actions range from notifications to access restrictions, ensuring threats are addressed before they become breaches.

How Actions Work

Actions are triggered by two types of conditions:

  • Score-based: Triggered when an employee's score enters a specific band or crosses a threshold
  • Event-based: Triggered immediately when a specific security event occurs

When conditions are met, TIDALBAY executes the configured action automatically (or queues it for approval, depending on the action type).

Built-in Actions

Notifications

  • Email notification: Send an alert to managers, security team, or the employee
  • Slack/Teams message: Post to a channel or send a DM
  • Webhook: Send event data to an external system
  • SOC ticket: Create a ticket in your SIEM or ticketing system

Training

  • Assign training module: Automatically assign specific training based on the risk type
  • Training reminder: Send follow-up reminders for incomplete training
  • Schedule coaching session: Trigger a real-time coaching intervention via TidalBay Coach

Access Control

  • Step-up MFA: Require additional authentication for the next login
  • Session revocation: End active sessions and require re-authentication
  • Access restriction: Limit access to sensitive resources
  • Account lockout: Temporarily disable the account (requires approval by default)
Destructive Actions
Actions that restrict access (session revocation, access restriction, account lockout) require security team approval by default. You can configure these to auto-execute, but we recommend keeping approval enabled to prevent false positives.

Configuring Actions

Navigate to Admin → Actions to manage automated actions.

Creating an Action

  1. Click Create Action
  2. Select the trigger type (score-based or event-based)
  3. Configure the trigger conditions
  4. Select the action type (notification, training, access control)
  5. Configure action parameters
  6. Set whether the action requires approval or auto-executes
  7. Click Save

Action Chains

You can chain multiple actions together for a graduated response:

Score drops to Yellow (60-79):
  → Notify manager via email
  → Assign security awareness refresher

Score drops to Orange (40-59):
  → Notify manager + security team
  → Assign mandatory training
  → Enable enhanced monitoring

Score drops to Red (20-39):
  → Alert security team (urgent)
  → Require step-up MFA
  → Restrict sensitive resource access
  → Create SOC ticket

Action History

All actions are logged in the Action History with:

  • Timestamp and trigger details
  • Target employee
  • Action taken and result
  • Approval status (if applicable)
Monitoring
Review the Action History regularly to identify patterns and tune your action configurations. Too many false positives can lead to alert fatigue.

Integration with External Systems

Actions can integrate with your existing security stack:

  • SIEM: Forward events and actions to Splunk, Sentinel, or other SIEMs
  • SOAR: Trigger playbooks in your SOAR platform
  • IdP: Push access changes to Okta or Azure AD
  • Ticketing: Create tickets in Jira, ServiceNow, or Zendesk

Next Steps