A trigger is defined during the beginning phase of creating a playbook. It
specifies the instance for which a playbook must be triggered in case of an
alert detection. To add the trigger to a playbook, you must drag one of the
triggers to the Drag a Trigger over here box in the main pane.
The following triggers are supported:
All: every single alert for that environment
Alert Type: this value is created during processing as
the field Rule Generator, this can be configured when configuring a
connector
Product Name: alert coming from a product (connector)
Tag Name: Check whether Google Security Operations automatically
added a tag during ingestion and processing. Tags can be added from
SOAR Settings > Case Data > Tags.
Alert Trigger Value: runs according to predefined field
from connector (Google recommends using Custom Trigger instead)
Custom Trigger: Based on custom placeholders. Lets you
customize any match. For example, if alert name INCLUDES
Custom List: based on triggers defined in custom list in
settings
Network Name: Can define subnets in settings when there
is an entity in this subnet. Then, the playbook would run (so it will work on
alerts coming from those specific subnets.)
Add a trigger to a playbook
Create a new playbook.
Select triggers from the Step Selection menu.
Click Alert Type and drag it to the first step in the playbook.
Double-click on it to open a new Alert Type dialog.
Under Parameters, select either Equal, Contains, or
Starts With from the menu.
Select the required parameter from the menu. In this case, we have
chosen an alert type based on any alert that contains phishing email
detector.
Once you specify the trigger parameter and save it, the parameter name
appears in the description of the trigger.
You can now continue building the playbook with actions. For more information, see
Use actions in playbooks.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["Triggers are essential for defining when a playbook should be activated in response to an alert detection within Google SecOps."],["Various supported trigger types include 'All', 'Alert Type', 'Product Name', 'Tag Name', 'Alert Trigger Value', 'Custom Trigger', 'Custom List', and 'Network Name', each offering specific conditions for playbook activation."],["Adding a trigger involves dragging the chosen trigger type from the Step Selection menu into the playbook and configuring it by specifying parameters like 'Equal', 'Contains', or 'Starts With' in the corresponding dialog."],["The 'Custom Trigger' option enables advanced customization, allowing playbooks to be triggered based on specific criteria, such as whether an alert name includes a certain term."],["The `Alert Type` trigger allows users to define when the playbook should be run based on the type of alert, such as those containing `phishing email detector`."]]],[]]
