Overview
Capture security incidents from chat, classify severity, create response records, and escalate urgent issues immediately. The operation is designed as a single agent-led workflow: every request is tracked, every decision is logged, and humans step in only when policy or risk requires it.
Request
A requester submits a cybersecurity incident reporting through Slack, Teams, or the Security Incident Report Form, creating a tracked request row.
Agent Triage
The agent confirms the request type, retrieves context from SIEM, incident queue, and on-call escalation, checks the relevant policy source, and asks for any missing details in chat.
Agent Resolution
Where policy permits, the agent completes low-severity reports with enough evidence for logging and containment guidance and records the outcome without waiting for manual handling.
Escalation
The agent escalates suspected compromise, data exposure, malware, phishing at scale, or unclear high-risk signals to the responsible owner with a decision summary and supporting context.
Human Resolution
An approver reviews the escalation in chat or the Incident Response Queue, then approves, rejects, or returns it for more information.
We’ve created this example workflow to help you get started building your own Cybersecurity Incident Reporting.
Agents
The Cybersecurity Incident Reporting agent manages intake, policy checks, tool actions, escalation, requester updates, and closure for this operation.
# Agent roleYou are the Cybersecurity Incident Reporting agent. You manage one request from intake to closure, using policy knowledge, approved tools, and human escalation when required.
# Inputs- request_id: the tracked request row- requester: the authenticated employee who submitted the request- summary: the user's description of what they need- business_justification: why the request is needed- target_system_or_record: the relevant application, record, customer, vendor, invoice, device, or account
# Instructions1. Confirm the requester is authenticated and that the request belongs to this operation.2. Gather missing details in Slack or Teams before taking action. Use connected systems to retrieve context first, then ask the requester only for details that cannot be found.3. Check the policy knowledge source before approving, rejecting, or escalating. Do not invent policy rules.4. Auto-resolve by following the operation-specific steps in `# Auto-resolution`. Do not stop at a recommendation if the required tool call is permitted and the response is unambiguous.5. Escalate when approval is required, risk is unclear, data conflicts, or the requested action is outside the agent's permissions.6. Update the request row and write an audit entry for every decision, tool action, escalation, and closure.7. Reply to the requester with a concise status update and next step.
# Tool use- Use {{ budibase.Cybersecurity Incident Reporting Requests.get_row }} and {{ budibase.Cybersecurity Incident Reporting Requests.update_row }} to maintain request state.- Use {{ budibase.Cybersecurity Incident Reporting Audit Log.create_row }} to log decisions and actions.- Use notification tools only for requester updates, approver handoff, or operational escalation.
# Auto-resolution- Use {{ splunk.search_events }} to check related alerts, user activity, source IPs, and affected assets.- If the report is low severity and complete, use {{ jira.create_issue }} to create the incident record with severity, evidence, and containment notes.- Use {{ jira.update_issue }} to add the agent's classification, affected systems, and requester updates.- If severity is high, credentials may be compromised, or data exposure is suspected, use {{ pagerDuty.create_incident }} to page the on-call responder.- Reject or close duplicate reports only after linking them to the active incident record.
# OutputReturn JSON with request_id, status, decision, rationale, next_owner, and actions_taken.Data
Tables
Cybersecurity Incident Reporting Requests: Stores the request, requester, target record, status, current owner, decision, and closure details.
request_id: Text - Unique request identifier.requester: User - Authenticated employee who submitted the request.summary: Long Form Text - Short description of the request.target_record: Text - Relevant account, system, vendor, customer, asset, invoice, or application.status: Single Select - New, Triaging, Waiting, Escalated, Completed, Rejected, or Closed.priority: Single Select - Low, Medium, or High.decision: Single Select - Approved, Rejected, Escalated, or Cancelled.rationale: Long Form Text - Agent or approver explanation.created_at: Date - Request creation timestamp.closed_at: Date - Completion timestamp, if closed.
request_id,requester,summary,target_record,status,priority,decision,rationale,created_at,closed_atSEC-1048,emma.clarke@example.com,"Please process this cybersecurity incident reporting.","Example target",Escalated,High,Escalated,"Requires owner approval.",2026-05-18T09:15:00.000Z,Cybersecurity Incident Reporting Audit Log: Records agent decisions, tool calls, escalations, notifications, and human actions.
event_id: Text - Unique audit event identifier.request_id: Text - Related request identifier.actor: Text - Agent, requester, approver, or integration name.event_type: Single Select - Message, Tool Call, Decision, Escalation, Approval, Rejection, or Closure.details: JSON - Structured event details.created_at: Date - Event timestamp.
event_id,request_id,actor,event_type,details,created_atEVT-2048,SEC-1048,Cybersecurity Incident Reporting Agent,Escalation,"{""reason"":""Policy requires owner review""}",2026-05-18T09:18:00.000ZConnections
Slack: Receives security incident reports from employees, gathers missing incident details, and posts updates to the response team or requester.
Teams: Supports Teams-based incident intake and urgent response notifications for security, IT, or business owners.
Jira: Creates and updates the incident response ticket, including severity, assigned owner, investigation tasks, and closure status.
PagerDuty: Triggers on-call escalation for high-severity incidents that require immediate security or infrastructure response.
Splunk: Searches logs and alerts for related events, indicators, affected systems, and evidence needed to classify the incident.
Confluence: Provides incident response runbooks, severity definitions, escalation policy, and containment guidance.
Adding Knowledge
The agent uses Confluence or SharePoint as a knowledge source when policy guidance, approval thresholds, ownership rules, or standard operating procedures are needed. The agent retrieves the relevant policy before deciding whether to auto-resolve, reject, or escalate a request.
Screens
Cybersecurity Incident Reporting
Security Incident Report Form: A structured request screen for employees who need to provide required fields, attachments, or target record details that are awkward to collect in chat.
Incident Response Queue: A queue for approvers and operations owners to review escalated requests, see the agent’s rationale, and record a final decision.
Request Detail: A record view that shows request metadata, conversation history, audit events, tool outcomes, and final resolution.
Automations
Create Request Record: On Create Row - Sets the initial status, priority, timestamps, and default owner when a new request is submitted.
Invoke Cybersecurity Incident Reporting Agent: On Create Row - Sends the request context to the agent for triage and policy evaluation.
Escalation Reminder: On Update Row - Notifies the current approver when an escalated request has not moved within the expected review window.
Close Request Audit: On Update Row - Writes a final audit event and sends the requester a closure update when the request is completed, rejected, or cancelled.