CIPP Alert Triage Crate
What does the CIPP Alert Triage Crate do?
This Crate automatically processes alerts from CIPP (CyberDrain Improved Partner Portal) and routes them to the appropriate PSA ticketing boards. Alerts are filtered based on configurable exclusion lists for tenants and messages, and tickets are automatically created or updated in your PSA system. A configuration form unpacked with the Crate allows technicians to set up board mappings and exclusion rules per organization without modifying the workflow directly.
This Crate doesn't send email notifications to users or administrators or modify any configuration within CIPP itself. It won't automatically resolve or close tickets when alerts are cleared, manage CIPP API authentication or webhook security, or send email notifications to users or administrators.
How the Crate works
Automatically receives and processes CIPP alerts, kicked off via webhook trigger
Filter out specific tenants or message types from creating tickets with configurable exclusion lists
Route different alert types alerts to separate PSA boards: changes, updates, standards, scheduled tasks
Set up organization variables through a user-friendly form
Handles multiple alerts simultaneously for faster throughput
PSA note format
HTML
Halo PSA and Freshdesk — includes formatted headers and styled content
Plain text
All other PSAs — clean, readable text formatting
Workflow breakdown
The workflow can be started by two triggers:
CIPP Alert Triage - Form - Create or Update ORG Variables - A form trigger for configuring organization variables
CIPP Alert Triage - Webhook - Notifications - A webhook trigger that receives CIPP alert notifications
The workflow begins at the check_trigger_source task, which uses the noop action to determine how the workflow was triggered by checking if the form_trigger context variable is set to true.
If the workflow was triggered by the form, the flow transitions to the get_organization_variable task, which uses the Get Organization Variable action to look up an organization by searching for a
cipp_tenant_idvariable that matches the provided tenant name.If the get_organization_variable task finds a matching organization, the organization_id is published to the context and the flow continues to the run_org_variables_workflow task. If no matching organization is found, the parent organization ID is used instead and the flow still proceeds to the run_org_variables_workflow task. If the task fails, the flow transitions to the FAILURE task.
The run_org_variables_workflow task executes the [REWST - UTILITY] CIPP: Alert Triage - Create or Update ORG Variables subworkflow action, passing in the organization ID and various board configuration parameters for CIPP alerts, changes, general notifications, updates, scheduled tasks, and standards.
If the workflow was triggered by a webhook or other non-form trigger, the flow transitions from check_trigger_source to the filter_and_validate_alerts task, which uses the noop action to filter out alerts from excluded tenants and messages based on organization variables, normalize the alert data format, and validate that valid tenants exist in the payload.
If the filter_and_validate_alerts task determines there are valid tenants to process, the filtered and normalized alert body is published to the context and the flow transitions to the process_alerts task. If no valid tenants remain after filtering, the flow transitions to the no_valid_tenants_exit task.
The process_alerts task uses the [REWST - TASK] CIPP: Process Single Alert subworkflow action with a with-items configuration to iterate over each alert in the body with a concurrency of 2. Each alert is processed individually to create or update PSA tickets.
The no_valid_tenants_exit task uses the noop action to handle the case where all alerts were filtered out, publishing an empty output array before transitioning to the END task.
The FAILURE task uses the noop action as a centralized failure handler that collects errors from any failed upstream tasks before transitioning to the END task.
The END task uses the noop action to aggregate all results and prepare the final output. It compiles an automation_log by collecting all context variables that start with log_ and calculating an overall status code, success indicator, warnings, and errors.
The workflow completes by outputting the processed results in the output variable and the compiled automation_log containing status codes, success indicators, any warnings, errors, and detailed log entries from each task.
Crate prerequisites
Your PSA must be integrated with Rewst.
Your CIPP integration must successfully be set up in Rewst.
Unpack the CIPP Alert Triage Crate
Navigate to Crates > Crate Marketplace in the left side menu of the Rewst platform.
Search for
CIPP Alert Triage.Click on the Crate tile to begin unpacking.
Click Continue.
Click Unpack.
Use the form
This form should be used to create or update organization variables for the Crate.
Navigate to Automations > Assets > Forms in the left side menu of your Rewst platform.
Search for
[REWST] CIPP: Alert Triage - Create or Update ORG Variables.Click ⋮ > Usages > View Direct URLs.
Click on the link for the organization which contains the user you wish to manage. This will launch the form in a new tab.
Fill out the form as follows:
If running for parent organization:
Select the tenant names to exclude from alerts from the Do Not Alert Tenants drop-down selector.
Enter JSON array of message strings to exclude from alerts into the Do Not Alert Messages field - for example:
["Message1", "Message2"]
If running for child organization:
Choose the CIPP Tenant associated with the child organization to configure from the Select CIPP Tenant drop-down selector.
All fields under PSA Board IDs are optional. If any one of them is not provided, the default board for that alert type will be the value set for the organization's
psa_default_board_id.CIPP Updates Board ID - PSA board ID for alerts from the CIPP "Updates" API
CIPP Standards Board ID - PSA board ID for alerts from the CIPP "Standards" API
CIPP Alerts Board ID - PSA board ID for alerts from the CIPP "Alerts" API
CIPP Changes Board ID - PSA board ID for alerts from the CIPP "AddGroup" or "EditUser" API
CIPP Scheduled Task Board ID - PSA board ID for alerts from the CIPP "ScheduledTask" API
CIPP General Board ID - PSA board ID for any alerts not handled in previous fields
Click Submit.
Organization variables associated with this Crate
For more on organization variables and how to use them, see our org variable documentation here.
Organization variables not found in our standard organization variables documentation, such as the ones listed below. are typically system variables that are handled by integration mappings.
If you haven't done so already, we recommended that you run the Configure Organization Variables Crate, which will help you set org variables that are relevant to you and your customer's environments.
cipp_tenant_id
Created when the CIPP integration is configured. Maps CIPP tenant names to Rewst organization IDs for proper ticket routing
cipp_do_not_alert_tenants
JSON array of tenant names to exclude from alerting
cipp_do_not_alert_messages
JSON array of message strings to exclude from alerting
cipp_alerts_board_id
Optional PSA board ID for alert-type tickets
cipp_changes_board_id
Optional PSA board ID for change-type tickets - user edits, group additions
cipp_general_board_id
Optional PSA board ID for general/uncategorized tickets
cipp_updates_board_id
Optional PSA board ID for update notification tickets
cipp_scheduled_board_id
Optional PSA board ID for scheduled task tickets
cipp_standards_board_id
Optional PSA board ID for standards compliance tickets
Got an idea for a new Crate? Rewst is constantly adding new Crates to our Crate Marketplace. Submit your idea or upvote existing ideas here in our Canny feedback collector.
Last updated
Was this helpful?