Skip to main content
Red Canary help

Create triggers to customize when a playbook is run

  • Updated .

You can use automation triggers to define when automation playbooks should be executed. 

Triggers describe when automation should begin. Triggers start with an event and can be limited by conditions. Each trigger can be linked to one or more playbooks, making both triggers and playbooks extremely reusable.

Threat_window.png

Create a trigger

  1. Click Configure new Trigger and select the event you want to start with.
  2. Adjust the trigger’s name to describe your use case.
  3. Customize the conditions to meet your use case. Keep in mind that certain fields will only be available for certain events. 
  4. Click Save.

Triggers are active by default. Click the Active slider to deactivate the trigger and prevent it from firing, or click the ICON_TRASH icon to permanently delete the trigger.

Note: Red Canary observes Daylight Saving Time (DST) except in Coordinated Universal Time (UTC)

How do condition matchers work?

Each trigger condition has a matcher that determines how values are matched. Please ensure there is no whitespace in the tags.

For fields that contain one of a known set of values, one of the following matchers might be available:

Trigger Match
<field> is one of <values> Matches if the field is one of the values selected.
<field> is not one of <values>

Matches if the field is not one of the values selected.
<field> is <value> Matches if the field is the same as the selected value.
<field> is not <value> Matches if the field is not the same as the selected value.

For fields that contain a list of known sets of values, one of the following matchers should be available:

Trigger Match
<field of values> includes any of <values>  Matches if at least one of the field values is the same as one of the selected values.
<field of values> does not contain any of <values> 

Matches if none of the field values is the same as one of the selected values.

For fields that contain a list of values, one of the following matchers should be available:

Trigger Match
<field of values> contain <value>  Matches if at least one of the field values contains the text in the entered values.
<field of values> does not contain <value> 

Matches if none of the field values contains the text in the entered values.

For fields with text values, one of the following matchers should be available:

Trigger Match
<field> starts with <value> Matches if the field starts with the text in the entered value.
<field> starts with one of <comma separated values>

Matches if the field starts with any of the comma-separated values.
Note: spaces between commas are accepted.
<field> ends with <value>

Matches if the field ends with the text in the entered value.
<field> matches wildcard <value>

Matches if the field matches the entered value using filename wildcard syntax.
Note: wildcards must be enclosed in *asterisks*. 
<field> does not match wildcard <value>

Matches if the field does not match the entered value using filename wildcard syntax.
Note: wildcards must be enclosed in *asterisks*. 
<field> includes all of <value>

Matches if the field ends with the text in the entered value.

For numeric fields, one of the following matchers should be available:

Trigger Match
<field> is greater than <value> Matches if the field is greater than the entered value.
<field> is less than <value>

Matches if the field is less than the entered value.

Note: When selecting When an Intelligence Profile is added to a Threat, it will match the following conditions: 

  • Threat
  • Intelligence profile
  • Endpoint
  • Identity
  • Time
  • Subdomain

Any associated triggers will fire and execute the connected playbook. The executed playbook is aware of the updated threat as well as the added intelligence profile.

Note: Be aware that triggers will continually be evaluated and fire for 60 days after the initial triggering condition then cease to fire. This will primarily impact playbooks designed to auto decommission endpoints after a set period of time. Please resolve these triggering actions at 59 days to avoid this limitation.

Create a playbook with a trigger

  1. Click Connect Playbook next to any trigger.
  2. Click Create a new Playbook.
    Note: This may take some time. A loading automation triggers & playbooks message displays.
  3. Click the new playbook to begin editing.
  4. Enter a name and description for the playbook (these changes will save automatically).

Playbooks are active by default. Click the Active slider to deactivate the playbook and prevent it from executing, or click the ICON_TRASH icon to permanently delete the playbook.

Manually trigger a playbook

Automation playbooks are designed to be executed by triggers or manual execution. There are many use cases for manual execution, including testing a new playbook to ensure it works as expected and executing certain remediation playbooks that should only be triggered by your team.

Playbooks can be executed against any of the threats, endpoints, and endpoint users in Red Canary. You can manually execute a playbook by selecting an object that you’d like to execute against.

  1. When viewing any playbook, click Run.
  2. Select an object type to execute against.
  3. Select an object of that type.
  4. Click Run.

The playbook will begin executing. Click Follow along with the progress here in the resulting dialog to see the results.

Comments

0 comments

Please sign in to leave a comment.