Trigger Variables for Automation
- 29 Mar 2024
- 1 Minute to read
- PDF
Trigger Variables for Automation
- Updated on 29 Mar 2024
- 1 Minute to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Below is a list of the trigger conditions, related models, and variables available when creating an Automate Trigger.
Please note that these trigger conditions are different from the attributes used with playbooks. You can view the available playbook attributes by choosing “Show list” when editing your playbook. Please ensure there is no whitespace in the tags.
Note: Red Canary observes Daylight Saving Time (DST) except in Coordinated Universal Time (UTC)
threat_published | ||
Trigger condition | Model | Variable |
threat_published | Threat | Severity |
threat_published | Threat | root_classification |
threat_published | Threat | Subclassifications |
threat_published | Threat | ioc_process_paths |
threat_published | Threat | ioc_process_names |
threat_published | Threat | ioc_process_md5s |
threat_published | Threat | ioc_network_domains |
threat_published | Threat | relevant_process_names |
threat_published | Endpoint | platform |
threat_published | Endpoint | endpoint_type |
threat_published | Endpoint | Hostname |
threat_published | Endpoint | short_hostname |
threat_published | Endpoint | sensor_group |
threat_published | Endpoint | reporting_tags |
threat_published | Endpoint | endpoint_status |
threat_published | Endpoint | decommissioned? |
threat_published | Endpoint | days_since_last_checkin |
threat_published | EndpointUser | Username |
threat_published | EndpointUser | username_without_domain |
threat_published | EndpointUser | Domain |
threat_published | EndpointUser | uid |
threat_published | EndpointUser | reporting_tags |
threat_published | CurrentTime | day_of_week_in_EST |
threat_published | CurrentTime | day_of_week_in_EST |
threat_published | CurrentTime | hour_of_day_in_EST |
threat_published | CurrentTime | day_of_week_in_MST |
threat_published | CurrentTime | hour_of_day_in_MST |
threat_published | CurrentTime | day_of_week_in_UTC |
threat_published | CurrentTime | hour_of_day_in_UTC |
threat_published | CurrentTime | day_of_week_in_PST |
threat_published | CurrentTime | hour_of_day_in_PST |
threat_published | CurrentTime | day_of_week_in_CST |
threat_published | CurrentTime | hour_of_day_in_CST |
threat_remediated | ||
Trigger condition | Model | Variable |
threat_remediated | Threat | Severity |
threat_remediated | Threat | root_classification |
threat_remediated | Threat | Subclassifications |
threat_remediated | Threat | ioc_process_paths |
threat_remediated | Threat | ioc_process_names |
threat_remediated | Threat | ioc_process_md5s |
threat_remediated | Threat | ioc_network_domains |
threat_remediated | Threat | ioc_network_ips |
threat_remediated | Threat | relevant_process_names |
threat_remediated | Endpoint | Platform |
threat_remediated | Endpoint | endpoint_type |
threat_remediated | Endpoint | Hostname |
threat_remediated | Endpoint | short_hostname |
threat_remediated | Endpoint | sensor_group |
threat_remediated | Endpoint | reporting_tags |
threat_remediated | Endpoint | endpoint_status |
threat_remediated | Endpoint | decommissioned? |
threat_remediated | Endpoint | days_since_last_checkin |
threat_remediated | EndpointUser | days_since_last_checkin |
threat_remediated | EndpointUser | username |
threat_remediated | EndpointUser | username_without_domain |
threat_remediated | EndpointUser | Domain |
threat_remediated | EndpointUser | uid |
threat_remediated | EndpointUser | reporting_tags |
threat_remediated | CurrentTime | day_of_week_in_EST |
threat_remediated | CurrentTime | hour_of_day_in_EST |
threat_remediated | CurrentTime | day_of_week_in_MST |
threat_remediated | CurrentTime | hour_of_day_in_MST |
threat_remediated | CurrentTime | day_of_week_in_UTC |
threat_remediated | CurrentTime | hour_of_day_in_UTC |
threat_remediated | CurrentTime | day_of_week_in_PST |
threat_remediated | CurrentTime | hour_of_day_in_PST |
threat_remediated | CurrentTime | day_of_week_in_CST |
threat_remediated | CurrentTime | hour_of_day_in_CST |
threat_not_remediated | ||
Trigger condition | Model | Variable |
threat_not_remediated | Threat | Severity |
threat_not_remediated | Threat | root_classification |
threat_not_remediated | Threat | subclassifications |
threat_not_remediated | Threat | ioc_process_paths |
threat_not_remediated | Threat | ioc_process_names |
threat_not_remediated | Threat | ioc_process_md5s |
threat_not_remediated | Threat | ioc_network_domains |
threat_not_remediated | Threat | ioc_network_ips |
threat_not_remediated | Threat | relevant_process_names |
threat_not_remediated | Endpoint | Platform |
threat_not_remediated | Endpoint | endpoint_type |
threat_not_remediated | Endpoint | Hostname |
threat_not_remediated | Endpoint | short_hostname |
threat_not_remediated | Endpoint | sensor_group |
threat_not_remediated | Endpoint | reporting_tags |
threat_not_remediated | Endpoint | endpoint_status |
threat_not_remediated | Endpoint | decommissioned? |
threat_not_remediated | Endpoint | days_since_last_checkin |
threat_not_remediated | EndpointUser | Username |
threat_not_remediated | EndpointUser | username_without_domain |
threat_not_remediated | EndpointUser | Domain |
threat_not_remediated | EndpointUser | Uid |
threat_not_remediated | EndpointUser | reporting_tags |
threat_not_remediated | CurrentTime | day_of_week_in_EST |
threat_not_remediated | CurrentTime | hour_of_day_in_EST |
threat_not_remediated | CurrentTime | day_of_week_in_MST |
threat_not_remediated | CurrentTime | hour_of_day_in_MST |
threat_not_remediated | CurrentTime | day_of_week_in_UTC |
threat_not_remediated | CurrentTime | hour_of_day_in_UTC |
threat_not_remediated | CurrentTime | day_of_week_in_PST |
threat_not_remediated | CurrentTime | hour_of_day_in_PST |
threat_not_remediated | CurrentTime | day_of_week_in_CST |
threat_not_remediated | CurrentTime | hour_of_day_in_CST |
threat_acknowledged | ||
Trigger condition | Model | Variable |
threat_acknowledged | Threat | Severity |
threat_acknowledged | Threat | root_classification |
threat_acknowledged | Threat | subclassifications |
threat_acknowledged | Threat | ioc_process_paths |
threat_acknowledged | Threat | ioc_process_names |
threat_acknowledged | Threat | ioc_process_md5s |
threat_acknowledged | Threat | ioc_network_domains |
threat_acknowledged | Threat | ioc_network_ips |
threat_acknowledged | Threat | relevant_process_names |
threat_acknowledged | Endpoint | Platform |
threat_acknowledged | Endpoint | endpoint_type |
threat_acknowledged | Endpoint | Hostname |
threat_acknowledged | Endpoint | short_hostname |
threat_acknowledged | Endpoint | sensor_group |
threat_acknowledged | Endpoint | reporting_tags |
threat_acknowledged | Endpoint | endpoint_status |
threat_acknowledged | Endpoint | decommissioned? |
threat_acknowledged | Endpoint | days_since_last_checkin |
threat_acknowledged | EndpointUser | Username |
threat_acknowledged | EndpointUser | username_without_domain |
threat_acknowledged | EndpointUser | Domain |
threat_acknowledged | EndpointUser | Uid |
threat_acknowledged | EndpointUser | reporting_tags |
threat_acknowledged | CurrentTime | day_of_week_in_EST |
threat_acknowledged | CurrentTime | hour_of_day_in_EST |
threat_acknowledged | CurrentTime | day_of_week_in_MST |
threat_acknowledged | CurrentTime | hour_of_day_in_MST |
threat_acknowledged | CurrentTime | day_of_week_in_UTC |
threat_acknowledged | CurrentTime | hour_of_day_in_UTC |
threat_acknowledged | CurrentTime | day_of_week_in_PST |
threat_acknowledged | CurrentTime | hour_of_day_in_PST |
threat_acknowledged | CurrentTime | day_of_week_in_CST |
threat_acknowledged | CurrentTime | hour_of_day_in_CST |
Audit_log_created | ||
Trigger condition | Model | Variable |
audit_log_created | AuditLog | Description |
audit_log_created | AuditLog | by_user_id |
audit_log_created | AuditLog | action |
audit_log_created | CurrentTime | day_of_week_in_EST |
audit_log_created | CurrentTime | hour_of_day_in_EST |
audit_log_created | CurrentTime | day_of_week_in_MST |
audit_log_created | CurrentTime | hour_of_day_in_MST |
audit_log_created | CurrentTime | day_of_week_in_UTC |
audit_log_created | CurrentTime | hour_of_day_in_UTC |
audit_log_created | CurrentTime | day_of_week_in_PST |
audit_log_created | CurrentTime | hour_of_day_in_PST |
audit_log_created | CurrentTime | day_of_week_in_CST |
audit_log_created | CurrentTime | hour_of_day_in_CST |
Activity_monitor_match_found | ||
Trigger condition | Model | Variable |
audit_log_created | CurrentTime | day_of_week_in_EST |
audit_log_created | CurrentTime | hour_of_day_in_EST |
audit_log_created | CurrentTime | day_of_week_in_MST |
audit_log_created | CurrentTime | hour_of_day_in_MST |
audit_log_created | CurrentTime | day_of_week_in_UTC |
audit_log_created | CurrentTime | hour_of_day_in_UTC |
activity_monitor_match_found | CurrentTime | day_of_week_in_PST |
activity_monitor_match_found | CurrentTime | hour_of_day_in_PST |
activity_monitor_match_found | CurrentTime | day_of_week_in_CST |
activity_monitor_match_found | CurrentTime | hour_of_day_in_CST |
Endpoint_status_changed | ||
Trigger condition | Model | Variable |
endpoint_status_changed | Endpoint | Platform |
endpoint_status_changed | Endpoint | endpoint_type |
endpoint_status_changed | Endpoint | Hostname |
endpoint_status_changed | Endpoint | short_hostname |
endpoint_status_changed | Endpoint | sensor_group |
endpoint_status_changed | Endpoint | endpoint_status |
endpoint_status_changed | Endpoint | decommissioned? |
endpoint_status_changed | Endpoint | days_since_last_checkin |
endpoint_status_changed | EndpointUser | Username |
endpoint_status_changed | EndpointUser | username_without_domain |
endpoint_status_changed | EndpointUser | Domain |
endpoint_status_changed | EndpointUser | Uid |
endpoint_status_changed | EndpointUser | reporting_tags |
endpoint_status_changed | CurrentTime | day_of_week_in_EST |
endpoint_status_changed | CurrentTime | hour_of_day_in_EST |
endpoint_status_changed | CurrentTime | day_of_week_in_MST |
endpoint_status_changed | CurrentTime | hour_of_day_in_MST |
endpoint_status_changed | CurrentTime | day_of_week_in_UTC |
endpoint_status_changed | CurrentTime | hour_of_day_in_UTC |
endpoint_status_changed | CurrentTime | day_of_week_in_PST |
endpoint_status_changed | CurrentTime | hour_of_day_in_PST |
endpoint_status_changed | CurrentTime | day_of_week_in_CST |
endpoint_status_changed | CurrentTime | hour_of_day_in_CST |
Note_added_to_threat | ||
Trigger condition | Model | Variable |
note_added_to_threat | CurrentTime | day_of_week_in_EST |
note_added_to_threat | CurrentTime | hour_of_day_in_EST |
note_added_to_threat | CurrentTime | day_of_week_in_MST |
note_added_to_threat | CurrentTime | hour_of_day_in_MST |
note_added_to_threat | CurrentTime | day_of_week_in_UTC |
note_added_to_threat | CurrentTime | hour_of_day_in_UTC |
note_added_to_threat | CurrentTime | day_of_week_in_PST |
note_added_to_threat | CurrentTime | hour_of_day_in_PST |
note_added_to_threat | CurrentTime | day_of_week_in_CST |
note_added_to_threat | CurrentTime | hour_of_day_in_CST |
Endpoint_days_since_last_checkin | ||
Trigger condition | Model | Variable |
endpoint_days_since_last_checkin | Endpoint | Platform |
endpoint_days_since_last_checkin | Endpoint | endpoint_type |
endpoint_days_since_last_checkin | Endpoint | Hostname |
endpoint_days_since_last_checkin | Endpoint | short_hostname |
endpoint_days_since_last_checkin | Endpoint | sensor_group |
endpoint_days_since_last_checkin | Endpoint | endpoint_status |
endpoint_days_since_last_checkin | Endpoint | decommissioned? |
endpoint_days_since_last_checkin | Endpoint | days_since_last_checkin |
New_ioc_created | ||
Trigger condition | Model | Variable |
new_ioc_created | Indicator | Path |
new_ioc_created | Indicator | Domain |
new_ioc_created | Indicator | Ip |
new_ioc_created | Indicator | Md5 |
new_ioc_created | Indicator | Sha256 |
new_ioc_created | Indicator | Sha1 |
new_ioc_created | Indicator | Type |
new_ioc_created | Threat | Severity |
new_ioc_created | Threat | root_classification |
new_ioc_created | Threat | Subclassifications |
new_ioc_created | Threat | ioc_process_paths |
new_ioc_created | Threat | ioc_process_names |
new_ioc_created | Threat | ioc_process_md5s |
new_ioc_created | Threat | ioc_network_domains |
new_ioc_created | Threat | ioc_network_ips |
new_ioc_created | Threat | relevant_process_names |
new_ioc_created | Endpoint | Platform |
new_ioc_created | Endpoint | endpoint_type |
new_ioc_created | Endpoint | Hostname |
new_ioc_created | Endpoint | short_hostname |
new_ioc_created | Endpoint | sensor_group |
new_ioc_created | Endpoint | reporting_tags |
new_ioc_created | Endpoint | endpoint_status |
new_ioc_created | Endpoint | decommissioned? |
new_ioc_created | Endpoint | days_since_last_checkin |
new_ioc_created | EndpointUser | Username |
new_ioc_created | EndpointUser | username_without_domain |
new_ioc_created | EndpointUser | Domain |
new_ioc_created | EndpointUser | uid |
new_ioc_created | EndpointUser | Reporting_tags |
event_created | ||
Trigger condition | Model | Variable |
event_created | Event | process_path |
event_created | Event | parent_process_path |
event_created | Event | pretty_command_line |
event_created | Event | publisher |
event_created | Event | process_md5 |
event_created | Event | process_sha256 |
event_created | Event | expected_impact |
event_created | Endpoint | Platform |
event_created | Endpoint | endpoint_type |
event_created | Endpoint | hostname |
event_created | Endpoint | short_hostname |
event_created | Endpoint | sensor_group |
event_created | Endpoint | reporting_tags |
event_created | Endpoint | endpoint_status |
event_created | Endpoint | decommissioned? |
event_created | Endpoint | days_since_last_checkin |
event_created | EndpointUser | Username |
event_created | EndpointUser | username_without_domain |
event_created | EndpointUser | domain |
event_created | EndpointUser | uid |
event_created | EndpointUser | reporting_tags |
External_alert_is_ingested | ||
Trigger condition | Model | Variable |
external_alert_is_ingested | ExternalAlert | external_alert_source_alert_identifier |
external_alert_is_ingested | ExternalAlert | external_alert_source_alert_url |
external_alert_is_ingested | ExternalAlert | reported_severity |
external_alert_is_ingested | ExternalAlert | reported_classification |
external_alert_is_ingested | ExternalAlert | native_json_raw |
external_alert_is_ingested | ExternalAlert | native_email_raw |
external_alert_is_ingested | ExternalAlert | risk_score |
external_alert_is_ingested | ExternalAlert | responsible_reviewing_team |
external_alert_is_ingested | ExternalAlertSource | Name |
external_alert_is_ingested | ExternalAlertSourcePlatform | display_name |
external_alert_is_ingested | ExternalAlertSourcePlatform | display_category |
external_alert_validation_state_change | ||
Trigger condition | Model | Variable |
external_alert_validation_state_change | ExternalAlert | validation_state |
external_alert_validation_state_change | ExternalAlert | external_alert_source_alert_identifier |
external_alert_validation_state_change | ExternalAlert | external_alert_source_alert_url |
external_alert_validation_state_change | ExternalAlert | reported_severity |
external_alert_validation_state_change | ExternalAlert | reported_classification |
external_alert_validation_state_change | ExternalAlert | native_json_raw |
external_alert_validation_state_change | ExternalAlert | native_email_raw |
external_alert_validation_state_change | ExternalAlert | risk_score |
external_alert_validation_state_change | ExternalAlert | responsible_reviewing_team |
external_alert_validation_state_change | ExternalAlertSource | Name |
external_alert_validation_state_change | ExternalAlertSourcePlatform | display_name |
external_alert_validation_state_change | ExternalAlertSourcePlatform | display_category |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | external_alert_source_alert_identifier |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | reported_severity |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | reported_classification |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | native_json_raw |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | native_email_raw |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | risk_score |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | responsible_reviewing_team |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSource | Name |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSourcePlatform | display_name |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSourcePlatform | display_category |
external_alert_responsible_reviewing_team_changed | ExternalAlert | external_alert_source_alert_identifier |
external_alert_responsible_reviewing_team_changed | ExternalAlert | external_alert_source_alert_url |
external_alert_responsible_reviewing_team_changed | ExternalAlert | reported_severity |
external_alert_responsible_reviewing_team_changed | ExternalAlert | reported_classification |
external_alert_responsible_reviewing_team_changed | ExternalAlert | native_json_raw |
external_alert_responsible_reviewing_team_changed | ExternalAlert | native_email_raw |
external_alert_responsible_reviewing_team_changed | ExternalAlert | risk_score |
external_alert_responsible_reviewing_team_changed | ExternalAlert | responsible_reviewing_team |
external_alert_responsible_reviewing_team_changed | ExternalAlertSource | Name |
external_alert_responsible_reviewing_team_changed | ExternalAlertSourcePlatform | display_name |
external_alert_responsible_reviewing_team_changed | ExternalAlertSourcePlatform | display_category |
Was this article helpful?
