Workflows — Alert Automation

Workflows let you automate your response to security events. Define trigger conditions, and BleedWatch will automatically execute actions — sending notifications, forwarding to SIEM, or routing to specific channels based on severity, type, or source.

Concepts

Term	Definition
Trigger	The event that starts the workflow (e.g., `finding.created`, `finding.severity_changed`)
Condition	Filters that determine if the workflow should fire (e.g., severity = critical, source = npm)
Action	What happens when conditions are met (e.g., send Slack notification, forward to SIEM, send email)

Creating a Workflow

Navigate to Alerts → Workflows
Click + New Workflow
Configure the three components:

Step 1: Choose a Trigger

Trigger Event	When It Fires
`finding.created`	A new finding is detected
`finding.severity_changed`	A finding's severity is upgraded or downgraded
`finding.status_changed`	A finding's status changes (e.g., open → resolved)
`finding.resolved`	A finding is marked as resolved
`incident.created`	A new cross-source incident is created
`scan.completed`	A scan cycle finishes
`compliance.score_changed`	A compliance framework score changes

Step 2: Define Conditions

Add one or more conditions to filter which events trigger the action:

Severity — Only fire for specific severity levels (e.g., critical + high)
Source — Only fire for specific finding sources (e.g., npm, Docker, dark web)
Type — Only fire for specific finding types (e.g., exposed-secret, vulnerable-dependency)
Status — Only fire for specific statuses (e.g., only new open findings)

Conditions use AND logic — all conditions must be true for the workflow to fire.

Step 3: Configure Actions

Action Type	Description
Slack notification	Send a formatted message to a Slack channel via webhook
Email notification	Send an email to specified recipients
Webhook	POST the event payload to a custom HTTP endpoint
SIEM forward	Forward the event to your configured SIEM integration
Splunk	Send directly to a Splunk HEC endpoint
Syslog	Forward via syslog (UDP/TCP/TLS) in CEF or JSON format

Each action includes the full event context: finding title, severity, source, asset, and a direct link to the finding in BleedWatch.

Managing Workflows

Enable / Disable

Toggle any workflow on or off without deleting it. Disabled workflows are preserved with all their configuration — useful for maintenance windows or temporary pauses.

Edit

Modify any component of an existing workflow (trigger, conditions, or actions). Changes take effect immediately.

Delete

Permanently remove a workflow. This action requires confirmation and cannot be undone.

Example Workflows

Critical Finding → Slack + PagerDuty

Trigger: finding.created Conditions: Severity = Critical Actions:

Slack notification to #security-alerts
Webhook to PagerDuty integration URL

Dark Web Credential Leak → Email CISO

Trigger: finding.created Conditions: Source = dark web, Severity = Critical or High Actions: Email to [email protected]

Compliance Score Drop → Slack

Trigger: compliance.score_changed Conditions: (none — fires on any change) Actions: Slack notification to #compliance-team

All Findings → Splunk

Trigger: finding.created Conditions: (none — fires on all findings) Actions: SIEM forward to Splunk HEC

Workflow vs Alert Rules

BleedWatch has two alert mechanisms:

Feature	Alert Rules (Alerts tab)	Workflows
Purpose	Simple notification delivery	Complex conditional automation
Conditions	Severity filter only	Multiple condition types (severity, source, type, status)
Actions	Single channel notification	Multiple concurrent actions
Use case	"Email me all critical findings"	"If a critical secret is found in npm, Slack the security team AND forward to Splunk"

Use Alert Rules for simple, single-channel notifications. Use Workflows when you need conditional logic or multiple actions per event.

Troubleshooting

Workflow Not Firing

Verify the workflow is enabled (toggle is on)
Check that the trigger event matches your expectation
Review conditions — all conditions must be true (AND logic)
Test the action destination (e.g., verify the Slack webhook URL is valid)

Duplicate Notifications

If you receive double notifications, check for overlapping workflows and alert rules. A finding can trigger both an alert rule and a workflow if both match.

Webhook Failing

Check the webhook URL in the workflow action. BleedWatch signs webhook payloads with HMAC-SHA256 — ensure your receiving endpoint validates the signature correctly. See Settings → SIEM for webhook signing details.

Alerts — Simple alert rule configuration
Settings — SIEM — Configure SIEM destinations
Incidents — View correlated incidents that workflows can trigger on

Concepts​

Creating a Workflow​

Step 1: Choose a Trigger​

Step 2: Define Conditions​

Step 3: Configure Actions​

Managing Workflows​

Enable / Disable​

Edit​

Delete​

Example Workflows​

Critical Finding → Slack + PagerDuty​

Dark Web Credential Leak → Email CISO​

Compliance Score Drop → Slack​

All Findings → Splunk​

Workflow vs Alert Rules​

Troubleshooting​

Workflow Not Firing​

Duplicate Notifications​

Webhook Failing​

Related​