Customize when a Playbook is Run with Triggers
- 15 Jul 2024
- 3 Minutes to read
- PDF
Customize when a Playbook is Run with Triggers
- Updated on 15 Jul 2024
- 3 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
You can use automation triggers to define when automation playbooks should be executed. Triggers describe when automation should begin. Triggers start with an event and can be limited by conditions. Each trigger can be linked to one or more playbooks, making both triggers and playbooks extremely reusable.
Create a trigger
Click Configure new Trigger and select the event you want to start with.
Adjust the trigger’s name to describe your use case. Customize the conditions to meet your use case. Keep in mind that certain fields will only be available for certain events.
Click Save.
Triggers are active by default. Click the Active slider to deactivate the trigger and prevent it from firing, or click the icon to permanently delete the trigger.
Note: Red Canary observes Daylight Saving Time (DST) except in Coordinated Universal Time (UTC)
How do condition matchers work?
Each trigger condition has a matcher that determines how values are matched. Please ensure there is no whitespace in the tags. For fields that contain one of a known set of values, one of the following matchers might be available:
Trigger | Match |
is one of | Matches if the field is one of the values selected. |
is not one of | Matches if the field is not one of the values selected. |
is | Matches if the field is the same as the selected value. |
is not | Matches if the field is not the same as the selected value. |
For fields that contain a list of known sets of values, one of the following matchers should be available:
Trigger | Match |
includes any of | Matches if at least one of the field values is the same as one of the selected values. |
does not contain any of | Matches if none of the field values is the same as one of the selected values. |
For fields that contain a list of values, one of the following matchers should be available:
Trigger | Match |
contain | Matches if at least one of the field values contains the text in the entered values. |
does not contain | Matches if none of the field values contains the text in the entered values. |
For fields with text values, one of the following matchers should be available:
Trigger | Match |
starts with | Matches if the field starts with the text in the entered value. |
starts with one of | Matches if the field starts with any of the comma-separated values. Note: spaces between commas are accepted. |
ends with | Matches if the field ends with the text in the entered value. |
matches wildcard | Matches if the field matches the entered value using filename wildcard syntax. Note: wildcards must be enclosed in *asterisks*. |
does not match wildcard | Matches if the field does not match the entered value using filename wildcard syntax. Note: wildcards must be enclosed in *asterisks*. |
includes all of | Matches if the field ends with the text in the entered value. |
For numeric fields, one of the following matchers should be available:
Trigger | Match |
is greater than | Matches if the field is greater than the entered value. |
is less than | Matches if the field is less than the entered value. |
When selecting When an Intelligence Profile is added to a Threat, it will match the following conditions:
Threat
Intelligence profile
Endpoint
Identity
Time
Subdomain
Any associated triggers will fire and execute the connected playbook. The executed playbook is aware of the updated threat as well as the added intelligence profile.
Note: Be aware that triggers will continually be evaluated and fire for 60 days after the initial triggering condition then cease to fire. This will primarily impact playbooks designed to auto decommission endpoints after a set period of time. Please resolve these triggering actions at 59 days to avoid this limitation.
Create a playbook with a trigger
Click Connect Playbook next to any trigger.
Click Create a new Playbook.
Note: This may take some time. A loading automation triggers & playbooks message displays.
Click the new playbook to begin editing.
Enter a name and description for the playbook (these changes will save automatically).
Playbooks are active by default. Click the Active slider to deactivate the playbook and prevent it from executing, or click the icon to permanently delete the playbook.
Manually trigger a playbook
Automation playbooks are designed to be executed by triggers or manual execution. There are many use cases for manual execution, including testing a new playbook to ensure it works as expected and executing certain remediation playbooks that should only be triggered by your team.
Playbooks can be executed against any of the threats, endpoints, and endpoint users in Red Canary. You can manually execute a playbook by selecting an object that you’d like to execute against.
When viewing any playbook, click Run.
Select an object type to execute against.
Select an object of that type.
Click Run.
The playbook will begin executing. Click Follow along with the progress here in the resulting dialog to see the results.
Was this article helpful?
