Below is a list of the trigger conditions, related models, and variables available when creating an Automate Trigger.
Please note that these trigger conditions are different from the attributes used with playbooks. You can view the available playbook attributes by choosing “Show list” when editing your playbook. Please ensure there is no whitespace in the tags.
Note: Red Canary leverages the standard Rails timezones.
threat_published | ||
Trigger condition | Model | Variable |
threat_published | Threat | Severity |
threat_published | Threat | root_classification |
threat_published | Threat | Subclassifications |
threat_published | Threat | ioc_process_paths |
threat_published | Threat | ioc_process_names |
threat_published | Threat | ioc_process_md5s |
threat_published | Threat | ioc_network_domains |
threat_published | Threat | relevant_process_names |
threat_published | Endpoint | platform |
threat_published | Endpoint | endpoint_type |
threat_published | Endpoint | Hostname |
threat_published | Endpoint | short_hostname |
threat_published | Endpoint | sensor_group |
threat_published | Endpoint | reporting_tags |
threat_published | Endpoint | endpoint_status |
threat_published | Endpoint | decommissioned? |
threat_published | Endpoint | days_since_last_checkin |
threat_published | EndpointUser | Username |
threat_published | EndpointUser | username_without_domain |
threat_published | EndpointUser | Domain |
threat_published | EndpointUser | uid |
threat_published | EndpointUser | reporting_tags |
threat_published | CurrentTime | day_of_week_in_<timezone> |
threat_published | CurrentTime | hour_of_day_in_<timezone> |
threat_remediated | ||
Trigger condition | Model | Variable |
threat_remediated | Threat | Severity |
threat_remediated | Threat | root_classification |
threat_remediated | Threat | Subclassifications |
threat_remediated | Threat | ioc_process_paths |
threat_remediated | Threat | ioc_process_names |
threat_remediated | Threat | ioc_process_md5s |
threat_remediated | Threat | ioc_network_domains |
threat_remediated | Threat | ioc_network_ips |
threat_remediated | Threat | relevant_process_names |
threat_remediated | Endpoint | Platform |
threat_remediated | Endpoint | endpoint_type |
threat_remediated | Endpoint | Hostname |
threat_remediated | Endpoint | short_hostname |
threat_remediated | Endpoint | sensor_group |
threat_remediated | Endpoint | reporting_tags |
threat_remediated | Endpoint | endpoint_status |
threat_remediated | Endpoint | decommissioned? |
threat_remediated | Endpoint | days_since_last_checkin |
threat_remediated | EndpointUser | days_since_last_checkin |
threat_remediated | EndpointUser | username |
threat_remediated | EndpointUser | username_without_domain |
threat_remediated | EndpointUser | Domain |
threat_remediated | EndpointUser | uid |
threat_remediated | EndpointUser | reporting_tags |
threat_remediated | CurrentTime | day_of_week_in_<timezone> |
threat_remediated | CurrentTime | hour_of_day_in_<timezone> |
threat_not_remediated | ||
Trigger condition | Model | Variable |
threat_not_remediated | Threat | Severity |
threat_not_remediated | Threat | root_classification |
threat_not_remediated | Threat | subclassifications |
threat_not_remediated | Threat | ioc_process_paths |
threat_not_remediated | Threat | ioc_process_names |
threat_not_remediated | Threat | ioc_process_md5s |
threat_not_remediated | Threat | ioc_network_domains |
threat_not_remediated | Threat | ioc_network_ips |
threat_not_remediated | Threat | relevant_process_names |
threat_not_remediated | Endpoint | Platform |
threat_not_remediated | Endpoint | endpoint_type |
threat_not_remediated | Endpoint | Hostname |
threat_not_remediated | Endpoint | short_hostname |
threat_not_remediated | Endpoint | sensor_group |
threat_not_remediated | Endpoint | reporting_tags |
threat_not_remediated | Endpoint | endpoint_status |
threat_not_remediated | Endpoint | decommissioned? |
threat_not_remediated | Endpoint | days_since_last_checkin |
threat_not_remediated | EndpointUser | Username |
threat_not_remediated | EndpointUser | username_without_domain |
threat_not_remediated | EndpointUser | Domain |
threat_not_remediated | EndpointUser | Uid |
threat_not_remediated | EndpointUser | reporting_tags |
threat_not_remediated | CurrentTime | day_of_week_in_<timezone> |
threat_not_remediated | CurrentTime | hour_of_day_in_<timezone> |
threat_acknowledged | ||
Trigger condition | Model | Variable |
threat_acknowledged | Threat | Severity |
threat_acknowledged | Threat | root_classification |
threat_acknowledged | Threat | subclassifications |
threat_acknowledged | Threat | ioc_process_paths |
threat_acknowledged | Threat | ioc_process_names |
threat_acknowledged | Threat | ioc_process_md5s |
threat_acknowledged | Threat | ioc_network_domains |
threat_acknowledged | Threat | ioc_network_ips |
threat_acknowledged | Threat | relevant_process_names |
threat_acknowledged | Endpoint | Platform |
threat_acknowledged | Endpoint | endpoint_type |
threat_acknowledged | Endpoint | Hostname |
threat_acknowledged | Endpoint | short_hostname |
threat_acknowledged | Endpoint | sensor_group |
threat_acknowledged | Endpoint | reporting_tags |
threat_acknowledged | Endpoint | endpoint_status |
threat_acknowledged | Endpoint | decommissioned? |
threat_acknowledged | Endpoint | days_since_last_checkin |
threat_acknowledged | EndpointUser | Username |
threat_acknowledged | EndpointUser | username_without_domain |
threat_acknowledged | EndpointUser | Domain |
threat_acknowledged | EndpointUser | Uid |
threat_acknowledged | EndpointUser | reporting_tags |
threat_acknowledged | CurrentTime | day_of_week_in_<timezone> |
threat_acknowledged | CurrentTime | hour_of_day_in_<timezone> |
audit_log_created | ||
Trigger condition | Model | Variable |
audit_log_created | AuditLog | Description |
audit_log_created | AuditLog | by_user_id |
audit_log_created | AuditLog | action |
audit_log_created | CurrentTime | day_of_week_in_<timezone> |
audit_log_created | CurrentTime | hour_of_day_in_<timezone> |
activity_monitor_match_found | ||
Trigger condition | Model | Variable |
audit_log_created | CurrentTime | day_of_week_in_<timezone> |
audit_log_created | CurrentTime | hour_of_day_in_<timezone> |
activity_monitor_match_found | CurrentTime | day_of_week_in_<timezone> |
activity_monitor_match_found | CurrentTime | hour_of_day_in_<timezone> |
endpoint_status_changed | ||
Trigger condition | Model | Variable |
endpoint_status_changed | Endpoint | Platform |
endpoint_status_changed | Endpoint | endpoint_type |
endpoint_status_changed | Endpoint | Hostname |
endpoint_status_changed | Endpoint | short_hostname |
endpoint_status_changed | Endpoint | sensor_group |
endpoint_status_changed | Endpoint | endpoint_status |
endpoint_status_changed | Endpoint | decommissioned? |
endpoint_status_changed | Endpoint | days_since_last_checkin |
endpoint_status_changed | EndpointUser | Username |
endpoint_status_changed | EndpointUser | username_without_domain |
endpoint_status_changed | EndpointUser | Domain |
endpoint_status_changed | EndpointUser | Uid |
endpoint_status_changed | EndpointUser | reporting_tags |
endpoint_status_changed | CurrentTime | day_of_week_in_<timezone> |
endpoint_status_changed | CurrentTime | hour_of_day_in_<timezone> |
note_added_to_threat | ||
Trigger condition | Model | Variable |
note_added_to_threat | CurrentTime | day_of_week_in_<timezone> |
note_added_to_threat | CurrentTime | hour_of_day_in_<timezone> |
endpoint_days_since_last_checkin | ||
Trigger condition | Model | Variable |
endpoint_days_since_last_checkin | Endpoint | Platform |
endpoint_days_since_last_checkin | Endpoint | endpoint_type |
endpoint_days_since_last_checkin | Endpoint | Hostname |
endpoint_days_since_last_checkin | Endpoint | short_hostname |
endpoint_days_since_last_checkin | Endpoint | sensor_group |
endpoint_days_since_last_checkin | Endpoint | endpoint_status |
endpoint_days_since_last_checkin | Endpoint | decommissioned? |
endpoint_days_since_last_checkin | Endpoint | days_since_last_checkin |
new_ioc_created | ||
Trigger condition | Model | Variable |
new_ioc_created | Indicator | Path |
new_ioc_created | Indicator | Domain |
new_ioc_created | Indicator | Ip |
new_ioc_created | Indicator | Md5 |
new_ioc_created | Indicator | Sha256 |
new_ioc_created | Indicator | Sha1 |
new_ioc_created | Indicator | Type |
new_ioc_created | Threat | Severity |
new_ioc_created | Threat | root_classification |
new_ioc_created | Threat | Subclassifications |
new_ioc_created | Threat | ioc_process_paths |
new_ioc_created | Threat | ioc_process_names |
new_ioc_created | Threat | ioc_process_md5s |
new_ioc_created | Threat | ioc_network_domains |
new_ioc_created | Threat | ioc_network_ips |
new_ioc_created | Threat | relevant_process_names |
new_ioc_created | Endpoint | Platform |
new_ioc_created | Endpoint | endpoint_type |
new_ioc_created | Endpoint | Hostname |
new_ioc_created | Endpoint | short_hostname |
new_ioc_created | Endpoint | sensor_group |
new_ioc_created | Endpoint | reporting_tags |
new_ioc_created | Endpoint | endpoint_status |
new_ioc_created | Endpoint | decommissioned? |
new_ioc_created | Endpoint | days_since_last_checkin |
new_ioc_created | EndpointUser | Username |
new_ioc_created | EndpointUser | username_without_domain |
new_ioc_created | EndpointUser | Domain |
new_ioc_created | EndpointUser | uid |
new_ioc_created | EndpointUser | Reporting_tags |
external_alert_is_ingested | ||
Trigger condition | Model | Variable |
external_alert_is_ingested | ExternalAlert | external_alert_source_alert_identifier |
external_alert_is_ingested | ExternalAlert | external_alert_source_alert_url |
external_alert_is_ingested | ExternalAlert | reported_severity |
external_alert_is_ingested | ExternalAlert | reported_classification |
external_alert_is_ingested | ExternalAlert | native_json_raw |
external_alert_is_ingested | ExternalAlert | native_email_raw |
external_alert_is_ingested | ExternalAlert | risk_score |
external_alert_is_ingested | ExternalAlert | responsible_reviewing_team |
external_alert_is_ingested | ExternalAlertSource | Name |
external_alert_is_ingested | ExternalAlertSourcePlatform | display_name |
external_alert_is_ingested | ExternalAlertSourcePlatform | display_category |
external_alert_validation_state_change | ||
Trigger condition | Model | Variable |
external_alert_validation_state_change | ExternalAlert | validation_state |
external_alert_validation_state_change | ExternalAlert | external_alert_source_alert_identifier |
external_alert_validation_state_change | ExternalAlert | external_alert_source_alert_url |
external_alert_validation_state_change | ExternalAlert | reported_severity |
external_alert_validation_state_change | ExternalAlert | reported_classification |
external_alert_validation_state_change | ExternalAlert | native_json_raw |
external_alert_validation_state_change | ExternalAlert | native_email_raw |
external_alert_validation_state_change | ExternalAlert | risk_score |
external_alert_validation_state_change | ExternalAlert | responsible_reviewing_team |
external_alert_validation_state_change | ExternalAlertSource | Name |
external_alert_validation_state_change | ExternalAlertSourcePlatform | display_name |
external_alert_validation_state_change | ExternalAlertSourcePlatform | display_category |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | external_alert_source_alert_identifier |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | reported_severity |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | reported_classification |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | native_json_raw |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | native_email_raw |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | risk_score |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlert | responsible_reviewing_team |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSource | Name |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSourcePlatform | display_name |
external_alert_hasnt_been_correlated_for_24_hours | ExternalAlertSourcePlatform | display_category |
external_alert_responsible_reviewing_team_changed | ExternalAlert | external_alert_source_alert_identifier |
external_alert_responsible_reviewing_team_changed | ExternalAlert | external_alert_source_alert_url |
external_alert_responsible_reviewing_team_changed | ExternalAlert | reported_severity |
external_alert_responsible_reviewing_team_changed | ExternalAlert | reported_classification |
external_alert_responsible_reviewing_team_changed | ExternalAlert | native_json_raw |
external_alert_responsible_reviewing_team_changed | ExternalAlert | native_email_raw |
external_alert_responsible_reviewing_team_changed | ExternalAlert | risk_score |
external_alert_responsible_reviewing_team_changed | ExternalAlert | responsible_reviewing_team |
external_alert_responsible_reviewing_team_changed | ExternalAlertSource | Name |
external_alert_responsible_reviewing_team_changed | ExternalAlertSourcePlatform | display_name |
external_alert_responsible_reviewing_team_changed | ExternalAlertSourcePlatform | display_category |