Workflow Actions
Actions define what Monitor does when a Workflow rule matches a detected threat. Multiple actions can be combined in a single rule.
Actions by Project Type
Available actions depend on your project type:
| Action | On-Premise | Cloud | Description |
|---|---|---|---|
| Log incident | Yes | Yes | Record the threat in the dashboard and logs without disrupting execution |
| Close app | Yes | No | Terminate the application immediately |
| Erase app data | Yes | No | Securely delete sensitive data from memory and disk before terminating |
| Block | No | Yes | Block the current HTTP request and return 403 Forbidden |
| Block session | No | Yes | Block all requests from this session ID |
| Block IP | No | Yes | Block all traffic from the source IP (added to Custom IP Blocklist) |
| Send notification | Yes | Yes | Alert via Slack or Webhook |
On-Premise Actions
Log Incident
Records the threat in the Cloud Panel and local logs. The application continues running normally. Use this for development, low-severity threats, and data collection before deciding which protections to enforce.
Close App
Immediately terminates the application. Use this for critical threats where continued execution is dangerous: debugger attached, tampering detected, jailbreak detected.
Erase App Data
Securely deletes sensitive data from memory and disk, then terminates the application. Use this for applications that handle financial data, credentials, or other sensitive information on compromised devices.
Cloud Actions
Log Incident
Records the threat in the Cloud Panel without blocking the request. The response is sent normally. Use this for monitoring new protections before enforcing, or for low-confidence detections you want to review.
Block
Blocks the current request and returns HTTP 403 Forbidden. The attacker receives a generic blocked response. Use this for confirmed attacks: SQL injection, XSS, path traversal, command injection.
Block Session
Blocks the current request and invalidates the entire session. All future requests with the same session ID are blocked. Use this for persistent attackers who try different payloads within the same session.
Block IP
Blocks the current request and adds the source IP address to the Custom IP Blocklist in the Firewall tab. All future traffic from this IP is blocked. Use this for repeated attacks or high-severity threats.
Combining Actions
You can select multiple actions in a single Workflow rule. They execute simultaneously when the rule matches.
Example for maximum protection on a SQL Injection rule:
IF: SQL Injection detected
THEN: Log incident
Block request
Block session
Block IP
Send notification (Slack + Webhook)IF: SQL Injection detected
THEN: Log incident
Block request
Block session
Block IP
Send notification (Slack + Webhook)This logs the incident for forensic review, blocks the request, invalidates the attacker's session, bans their IP from all future traffic, and notifies your team via Slack and webhook.
Notifications
Slack
Connect your Slack workspace to receive real-time alerts when Workflow rules match. Each notification includes the threat type, severity, action taken, and origin information.
- Check the Slack checkbox on the rule
- Click Link Slack with ByteHide to authorize the integration
- Select the channel to receive alerts
Webhook
Send incident data to any HTTP endpoint. Monitor sends a POST request with the full incident payload when the rule matches.
- Check the Webhook checkbox on the rule
- Select a webhook endpoint from the dropdown (or create one)
Use webhooks to integrate with SIEM systems (Splunk, ELK, Datadog), ticketing platforms (Jira, ServiceNow, PagerDuty), or custom alerting pipelines.
Related
For the full reference of all Monitor action types (including SDK-level actions like Custom and None), see Actions Overview.
Workflow Overview
Create and manage Workflow automation rules
Actions Overview
Full reference of all SDK and Cloud Dashboard action types
Advanced Configuration
Logging, anomaly detection, rate limiting, and debug mode