Escalate alerts which users have not responded to

In this Five Minute Flow, we walk through Escalate alerts which users have not responded to — a story from the Tines library that automates suspicious login triage by checking in with the affected user and escalating only when necessary.

---

What You'll See:

• Receive a suspicious login alert via webhook, carrying the user's email and IP address
• Email the affected user with two embedded links — one to confirm they recognise the activity, one to deny it
• Start a 5-minute countdown timer in parallel with the email send
• Capture the user's response through a Tines Page linked directly from the email
• Use a Deduplicate action to ensure only one outcome continues — whichever arrives first, the user's response or the timer expiring
• Route the story across three outcomes: user confirms, user denies, or no response received
• Close the Jira ticket if the user recognises the activity, or create a high-urgency PagerDuty incident if they deny it or don't respond

---

Perfect For:

• SOC analysts handling high volumes of login anomaly alerts who need a consistent, automated way to confirm or escalate without manual follow-up
• Detection & response teams looking to reduce noise by letting users self-triage before an incident is raised
• IT security teams who want a structured no-response escalation path that doesn't rely on analyst availability

---

Requirements:

• Integrations: Jira, PagerDuty
• Credentials: Jira API token, PagerDuty API key
• Resources: Jira domain URL, Jira username, Jira issue ID or key
• Setup: A configured Tines email action for sending user notifications; a Tines Page set to public visibility for capturing user responses
• Nice to know: Familiarity with Tines Event Transformation actions (Delay and Deduplicate) will help you customise the 5-minute timer or deduplication logic