SECOPS

Slack-Reported Phishing to Zendesk Case

Lets staff report a suspicious message from a Slack shortcut, auto-enriches any links and senders they paste.

CategorySecOps

Enginesim

Difficultyintermediate

Triggerevent

Steps6

Setup~15 min

How it runs

The automated pipeline, trigger to output.

TriggerPhishing-report shortcut submitted in SlackSlack
ActionNormalize pasted IOCs
ActionEnrich IOCs via threat-intel reputation APIHTTP webhook
ActionDraft incident summary and severityOpenAI
ActionCreate enriched security ticketZendesk
OutputConfirm to reporter with ticket linkSlack

What it does

Gives employees a one-click way to report phishing from inside Slack and turns each report into a fully enriched Zendesk ticket. The reporter answers a tiny form; everything else — IOC extraction, reputation lookup, severity, assignment — is automated.

When to use it

Use this when you want reporting to live where people already work (Slack) rather than a forwarded email, and you track security incidents in Zendesk. Ideal for orgs that want a low-friction "report it" habit without an inbox to babysit.

How it works

1A staff member triggers the phishing-report shortcut in Slack and submits sender, suspicious URL, and a note.
2A parsing step normalizes the pasted URL and sender into clean IOCs.
3The IOCs are enriched against a reputation lookup over an HTTP threat-intel endpoint.
4An LLM drafts a concise incident summary and assigns a severity.
5A Zendesk ticket is created with the summary, IOC table, and severity-based priority, routed to the security queue.
6The reporter gets a Slack confirmation with the ticket link.

Set it up

What you configure once, before turning it on.

1
Connect SlackChannels, DMs, threads, mentions.
2
Connect HTTP webhookTrigger any URL on agent actions.
3
Connect OpenAIModels, embeddings, files.
4
Connect ZendeskTickets, queues, knowledge base.
5
Set each agent's modelWe leave models unset so you pick the tier — fast + cheap, or top-quality.
6
Tune it to your dataEdit the prompts, filters, and field mappings so it matches how your team works.
7
Test, then turn it onRun once against a sample, confirm the output, then enable the trigger.

More SecOps workflows

Scheduled AWS Access-Key Age Sweep and Forced Rotation

Runs daily to find IAM access keys older than your policy threshold, deactivates the stale key, issues a fresh pair, and notifies the key owner with their replacement instructions.

Correlate Datadog WAF anomaly alert with Cloudflare evidence

When Datadog fires a WAF block-rate anomaly monitor, it pulls the matching Cloudflare firewall events, builds an evidence pack of top rules and ASNs.

Exposed-Secret Incident Triage and Remediation Agent

An agent-driven workflow that investigates a reported leaked secret end to end, decides revoke-versus-escalate, executes the rotation.

Non-Rotatable Leaked Secret to PagerDuty Escalation

Catches secret-scan hits for credentials that cannot be auto-rotated, gathers blast-radius context, and pages the on-call engineer with a step-by-step manual rotation runbook.

GitHub Secret-Scan Hit to Auto-Revoke and Rotate

When GitHub secret scanning flags a leaked credential in a repo, it auto-classifies the secret type, revokes the live key at the provider, mints a replacement.

Post-Revocation Verification and Audit Logging

After a key is revoked, it confirms the old credential actually fails, verifies the replacement works.

Browse all SecOps →

Run it inside a business

This workflow drops into a full company template. Import the org, and this is one of the playbooks its agents run.

Software

Agent Hive runs Agent Hive

The team that built Agent Hive, exactly as it runs today.

Marketing

Content Marketing Agency

SEO, blogs, social, and reporting on autopilot.

E-commerce

E-commerce Operator

Listings, support, inventory, and ads — running 24/7.

Browse all business templates →Solutions by industry →

Run this workflow in your colony.

14-day trial. No DevOps. No Sales call. Provisioned in under a minute.

Join the Waitlist Browse all workflows →