Using Triggers in Playbooks
A trigger is defined during the beginning phase of creating a playbook. It specifies the instance for which a playbook must be triggered in case of an alert detection. To add the trigger to a playbook, you must drag and drop one of the triggers to the yellow Drag Trigger box in the middle pane.
The following Triggers are currently supported:
All: every single alert for that environment
Alert type:
This value is created during processing as the field "Rule
Generator", this can be configured when configuring a Connector
Product name: alert coming from a product
(connector)
Tag name: Check whether Chronicle SOAR
automatically added a tag during ingestion and processing. Tags can be added
from Settings > Case Data > Tags
Alert Trigger value: runs according to predefined field from connector (Google recommends using
Custom Trigger instead)
Custom Trigger: based on custom
placeholders. Allows you to customize any match e.g. 'if alert name
INCLUDES <string>'
Custom List: based on
triggers defined in custom list in settings
Network Name: can define subnets in settings when there is an entity in this subnet
– then the playbook would run – (so will work on alerts coming
from that specific subnets.)
To add a trigger:
-
Select Add Step in the Playbooks screen.
-
Select Triggers from the Step Selection menu.
- Click on Alert Type and drag it to the first step in the Playbook.
- Double click on it to open a new Alert Type dialog box.
-
Under Parameters, click the equal sign and select either Equal, Contains or
Starts With option from the drop- down signs list.
-
Select the required parameter from the drop-down list. In this case, we have
chosen an Alert Type based on any alert that contains Phishing email
detector.
Note that once you specify the trigger parameter and save it, the parameter name appears in the description of the trigger.
- Click Save. The specified trigger parameter is saved and you return to the Playbook page where you can define the next set of components (actions and/or flow) for the Playbook.