A trigger is defined during the beginning phase of creating a playbook. It
specifies the instance for which a playbook must be triggered in case of an
alert detection. To add the trigger to a playbook, you must drag one of the
triggers to the Drag a Trigger over here box in the main pane.
The following triggers are supported:
All: every single alert for that environment
Alert Type: this value is created during processing as
the field Rule Generator, this can be configured when configuring a
connector
Product Name: alert coming from a product (connector)
Tag Name: Check whether Google Security Operations automatically
added a tag during ingestion and processing. Tags can be added from
SOAR Settings > Case Data > Tags.
Alert Trigger Value: runs according to predefined field
from connector (Google recommends using Custom Trigger instead)
Custom Trigger: Based on custom placeholders. Lets you
customize any match. For example, if alert name INCLUDES
Custom List: based on triggers defined in custom list in
settings
Network Name: Can define subnets in settings when there
is an entity in this subnet. Then, the playbook would run (so it will work on
alerts coming from those specific subnets.)
Add a trigger to a playbook
Create a new playbook.
Select triggers from the Step Selection menu.
Click Alert Type and drag it to the first step in the playbook.
Double-click on it to open a new Alert Type dialog.
Under Parameters, select either Equal, Contains, or
Starts With from the menu.
Select the required parameter from the menu. In this case, we have
chosen an alert type based on any alert that contains phishing email
detector.
Once you specify the trigger parameter and save it, the parameter name
appears in the description of the trigger.
You can now continue building the playbook with actions. For more information, see
Use actions in playbooks.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eTriggers are essential for defining when a playbook should be activated in response to an alert detection within Google SecOps.\u003c/p\u003e\n"],["\u003cp\u003eVarious supported trigger types include 'All', 'Alert Type', 'Product Name', 'Tag Name', 'Alert Trigger Value', 'Custom Trigger', 'Custom List', and 'Network Name', each offering specific conditions for playbook activation.\u003c/p\u003e\n"],["\u003cp\u003eAdding a trigger involves dragging the chosen trigger type from the Step Selection menu into the playbook and configuring it by specifying parameters like 'Equal', 'Contains', or 'Starts With' in the corresponding dialog.\u003c/p\u003e\n"],["\u003cp\u003eThe 'Custom Trigger' option enables advanced customization, allowing playbooks to be triggered based on specific criteria, such as whether an alert name includes a certain term.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003eAlert Type\u003c/code\u003e trigger allows users to define when the playbook should be run based on the type of alert, such as those containing \u003ccode\u003ephishing email detector\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Use triggers in playbooks\n=========================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nA trigger is defined during the beginning phase of creating a playbook. It\nspecifies the instance for which a playbook must be triggered in case of an\nalert detection. To add the trigger to a playbook, you must drag one of the\ntriggers to the **Drag a Trigger over here** box in the main pane.\n\nThe following triggers are supported:\n\n- **All**: every single alert for that environment\n- **Alert Type** : this value is created during processing as the field *Rule Generator*, this can be configured when configuring a connector\n- **Product Name**: alert coming from a product (connector)\n- **Tag Name** : Check whether Google Security Operations automatically added a tag during ingestion and processing. Tags can be added from **SOAR Settings \\\u003e Case Data \\\u003e Tags**.\n- **Alert Trigger Value** : runs according to predefined field from connector (Google recommends using **Custom Trigger** instead)\n- **Custom Trigger** : Based on custom placeholders. Lets you customize any match. For example, *if alert name INCLUDES*\n- **Custom List**: based on triggers defined in custom list in settings\n- **Network Name**: Can define subnets in settings when there is an entity in this subnet. Then, the playbook would run (so it will work on alerts coming from those specific subnets.)\n\nAdd a trigger to a playbook\n---------------------------\n\n1. Create a new playbook.\n2. Select triggers from the **Step Selection** menu.\n3. Click **Alert Type** and drag it to the first step in the playbook.\n4. Double-click on it to open a new **Alert Type** dialog.\n5. Under **Parameters** , select either **Equal** , **Contains** , or **Starts With** from the menu.\n6. Select the required parameter from the menu. In this case, we have chosen an alert type based on any alert that contains phishing email detector. \n Once you specify the trigger parameter and save it, the parameter name appears in the description of the trigger.\n\nYou can now continue building the playbook with actions. For more information, see [Use actions in playbooks](/chronicle/docs/soar/respond/working-with-playbooks/using-actions-in-playbooks).\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
