![Untitled design (1)-Aug-01-2022-12-37-27-80-PM.png]](https://help.syscloud.com/hs-fs/hubfs/Untitled%20design%20(1)-Aug-01-2022-12-37-27-80-PM.png?height=40&name=Untitled%20design%20(1)-Aug-01-2022-12-37-27-80-PM.png){kind=small}
What are custom action flows and how do they help automate security, compliance, and change-response actions?
Action flows let you build automated response workflows that run when specific events or detections occur in your environment. Instead of manually investigating and remediating every alert, you can define:
- A trigger (what event should start the flow)
- Criteria (which severity/risk/category the event must match)
- One or more automated actions (what the system should do immediately)
- Optional notifications (who should be informed)
Action flows are designed to help administrators respond faster, reduce operational effort, and enforce consistent governance across users and data.
Supported environments
Action flows are available for:
- Google Workspace
- Microsoft 365
- QuickBooks Online
Feature areas that support action flows
Action flows can be configured under these add-ons:
- Ransomware
- Security & Compliance
- Data Change Insights
Key benefits
- Faster incident containment: Automatically restrict sharing or transfer ownership when high-risk content is detected.
- Reduced manual work: Standard remediation steps run automatically without requiring admin intervention each time.
- Consistent policy enforcement: Ensures the same actions are applied every time a trigger condition is met.
- Improved security posture: Limits data exposure by quickly removing external access or link sharing.
- Audit-friendly operations: Standardized actions and notifications make response processes more traceable.
Note: Action flows are only available to customers who have purchased any one of the following add-ons:
- Ransomware
- Security and compliance
- Data change insights
Action flow types, triggers, and supported actions:
1) Ransomware action flow
Use this action flow to automatically respond to ransomware-related detections.
Supported triggers
- Ransomware files
- Files encrypted
Supported actions
- Transfer ownership / Grant access
- Remove all sharing
- Remove link sharing
- Remove external sharing & collaborators
2) Compliance action flow
Use this action flow to automate remediation when content violates compliance policies.
Supported triggers
- All pre-defined compliance policies
- Custom compliance policies
Supported actions
- Transfer ownership / Grant access
- Remove all sharing
- Remove link sharing
- Remove external sharing & collaborators
- Place on hold
- Export items
- Dismiss
3) Data Change Insights (DCI) action flow
Use this action flow to respond to changes in content state and support export-based workflows.
Supported triggers
- Newly added
- Changed
- Deleted
Supported actions
- Export items
You can create multiple action flows for the same category (for example, separate ransomware action flows for High vs. Medium risk), each with different actions and notifications.