Skip to main content
v9.0
Note: This workflow is provided as a basic skeleton template and is designed to be fully customizable to suit your specific needs. Customization of the workflow will be required to align it with your exact requirements, and any adjustments made to the workflow will be the responsibility of the user.
The Response- Main Router subflow is a key part of the alert processing parent workflow. It is responsible for deciding how to respond to different types of alerts and carrying out the appropriate actions automatically.

How its Works

In this example, the subflow starts by looking at information collected and enriched in earlier steps of the workflow. For instance, it examines alert details such as the type of threat (e.g., phishing or malware) and which security tool detected it (e.g., Outlook or CrowdStrike). Based on these details, the subflow follows one of two paths:
  1. If the alert is a phishing attempt detected by Outlook:
    The subflow routes the alert to a specific process for handling phishing threats. This might involve actions like warning the affected user, blocking suspicious emails, or securing accounts to prevent further issues.
  2. If the alert is malware detected by CrowdStrike:
    The subflow sends the alert to a process for handling malware. This could involve isolating an infected device, notifying the security team, or starting an investigation to analyze the threat.
By using this logic, the Responses - Main Router ensures that each alert is handled quickly and appropriately without needing manual effort. For example, if a phishing email is flagged by Outlook, the system will automatically block the email and inform the user, while a malware alert from CrowdStrike will trigger steps to secure affected devices. This subflow is designed to make the response process fast, accurate, and consistent.
I