Summary
This workflow automates the processing of security alerts from SaaS Alerts into PSA tickets. The solution ingests alert events from the SaaS Alerts platform, evaluates severity and type, determines appropriate categorization and priority, creates tickets in the PSA system, assigns them to the relevant service board and team, and includes contextual information to accelerate resolution. By automating this process, the workflow ensures no SaaS security alerts are missed, maintains consistent ticket creation standards, and enables rapid response to threats such as unauthorized access, data exfiltration, suspicious sign-ins, and policy violations.
Usage
Prerequisites
Before using this workflow, ensure the following requirements are met:
-
SaaS Alerts Integration: Configure the SaaS Alerts API integration in Rewst
-
PSA Integration: For ticket creation with appropriate permissions
-
Email Integration: For notifications
-
Organizational Variables:
saas_alerts_severity_mapping: Map SaaS Alerts severity to PSA prioritysaas_alerts_ticket_board: PSA service board for SaaS alert ticketssaas_alerts_auto_resolve_low: Auto-resolve low-severity alertssaas_alerts_notification_recipients: Alert recipient emailssaas_alerts_dedup_window_hours: Deduplication window for repeat alerts
Workflow Inputs
| Parameter | Type | Required | Description |
|---|---|---|---|
alert_id | String | Yes | SaaS Alerts alert identifier |
alert_type | String | Yes | Type of alert (e.g., suspicious_login, data_exfiltration) |
severity | String | Yes | Alert severity level |
affected_user | String | Yes | User associated with the alert |
company_id | String | Yes | PSA company ID |
alert_details | Object | No | Full alert payload from SaaS Alerts |
create_ticket | Boolean | No | Create PSA ticket. Default: true |
auto_remediate | Boolean | No | Attempt automatic remediation. Default: false |
Execution
Event-Driven Trigger (Recommended)
- Webhook from SaaS Alerts triggers processing for each new alert
- Real-time processing ensures fastest response
Scheduled Processing
- Poll SaaS Alerts API for new alerts every 15-30 minutes
- Process alerts in batches
Processing Flow
- Alert Ingestion: Receive and parse SaaS Alerts event
- Deduplication: Check for existing tickets for the same alert
- Severity Mapping: Map alert severity to PSA priority levels
- Company Matching: Match affected organization to PSA company
- Context Enrichment: Add user details, device info, and location data
- Ticket Creation: Create PSA ticket with full alert context
- Assignment: Route ticket to appropriate board and team
- Remediation: Execute auto-remediation if enabled and applicable
- Notification: Alert security team for high-severity events
- Documentation: Log alert processing for audit
Returned Data
{
"success": true,
"alert_id": "SA-2026-12345",
"alert_details": {
"type": "suspicious_login",
"severity": "High",
"affected_user": "john.smith@company.com",
"description": "Login from unusual location: Russia",
"saas_application": "Microsoft 365",
"source_ip": "203.0.113.50",
"location": "Moscow, Russia",
"timestamp": "2026-03-04T14:30:00Z"
},
"processing_results": {
"duplicate_found": false,
"ticket_created": true,
"ticket_id": "SEC-2026-045",
"psa_priority": "High",
"psa_board": "Security Alerts",
"assigned_team": "Security Operations"
},
"remediation": {
"auto_remediated": true,
"actions_taken": [
"User session revoked",
"Temporary sign-in block applied",
"MFA challenge required on next login"
]
},
"notifications_sent": {
"security_team": { "sent": true },
"account_manager": { "sent": true }
}
}
Changelog
2026-03-04
- Initial version of the document