A trigger is defined during the beginning phase of creating a playbook. It specifies the instance for which a playbook must be triggered in case of an alert detection. To add the trigger to a playbook, you must drag and drop one of the triggers to the yellow Drag Trigger box in the middle pane.
After dropping the trigger, its name and symbol appear on the Drag Trigger box.
The following Triggers are currently supported:
All: every single alert (for that environment)
Alert type: to choose from the rule generator of alert (one of the fields in the alert) from the SIEM drop down or choose your own)
Product name: alert coming from a product (connector)
Tag name: alert which has a tag name (connector can put a tag on the alert)
Alert Trigger value – (an old trigger) according to predefined field from connector the playbook would run
Custom Trigger – based on custom placeholders
Custom List – based on triggers defined in custom list in settings
Network Name – - can define subnets in settings when there is an entity in this subnet – then the playbook would run – (so will work on alerts coming from that specific subnets.)
To add a trigger:
- Click on Alert Type and drag it to the trigger box.
- Click on it to open a new Description popup window.
- Under Parameters, click the equals sign and select either Equals, Contains or Starts With option from the signs menu.
- Select the required parameter from the drop-down menu. In this case, we have chosen an Alert Type based on any alert that contains Suspected Malware Communication.
Note that once you specify the trigger parameter and save it, the parameter name appears as the title header of the Drag Trigger box and is non-editable.
- Click Save. The specified trigger parameter is saved and you return to the playbook page where you can define the next set of components (actions and/or flow) for the playbook.
Need more help with this?
Click here to open a Support ticket