Use triggers in playbooks

Supported in:

A trigger is defined during the beginning phase of creating a playbook. It specifies the instance for which a playbook must be triggered in case of an alert detection. To add the trigger to a playbook, you must drag one of the triggers to the Drag a Trigger over here box in the main pane.

The following triggers are supported:

  • All: every single alert for that environment
  • Alert Type: this value is created during processing as the field Rule Generator, this can be configured when configuring a connector
  • Product Name: alert coming from a product (connector)
  • Tag Name: Check whether Google Security Operations automatically added a tag during ingestion and processing. Tags can be added from SOAR Settings > Case Data > Tags.
  • Alert Trigger Value: runs according to predefined field from connector (Google recommends using Custom Trigger instead)
  • Custom Trigger: Based on custom placeholders. Lets you customize any match. For example, if alert name INCLUDES
  • Custom List: based on triggers defined in custom list in settings
  • Network Name: Can define subnets in settings when there is an entity in this subnet. Then, the playbook would run (so it will work on alerts coming from those specific subnets.)

Add a trigger to a playbook

  1. Create a new playbook.
  2. Select triggers from the Step Selection menu.
  3. Click Alert Type and drag it to the first step in the playbook.
  4. Double-click on it to open a new Alert Type dialog.
  5. Under Parameters, select either Equal, Contains, or Starts With from the menu.
  6. triggeralerttype1
  7. Select the required parameter from the menu. In this case, we have chosen an alert type based on any alert that contains phishing email detector.
    Once you specify the trigger parameter and save it, the parameter name appears in the description of the trigger.
You can now continue building the playbook with actions. For more information, see Use actions in playbooks.