You can use automation triggers to define when automation playbooks should be executed. 

Triggers start with an event (such as When a detection is published or When an Endpoint status changes) and can be limited by conditions such as the Detection’s severity is high. Each trigger can be bound to one or more playbooks, which allows both triggers and playbooks to be highly reusable.

Create a trigger

You can create a trigger that describes when playbooks should be executed.

To create a trigger:

1. Click New Trigger and select the event you want to start with.
2. Adjust the trigger’s name to describe your use case.
3. Click Add condition to add a condition that limits when the trigger is activated.
4. Customize the conditions to meet your use case. Keep in mind that certain fields will only be available for certain events. 
5. Click Save.

Triggers are active by default. Click the Active slider to deactivate the trigger and prevent it from firing, or click the ICON_TRASH icon to permanently delete the trigger.

How do condition matchers work?

Each trigger condition has a matcher that determines how values are matched.

For fields that contain one of a known set of values, one of the following matchers might be available:

• <field> is one of <values> matches if the field is one of the values selected.
• <field> is not one of <values> matches if the field is not one of the values selected.
• <field> is <value> matches if the field is the same as the selected value.
• <field> is not <value> matches if the field is not the same as the selected value.
• <field> is <value> matches if the field is the same as the selected value.

For fields that contain a list of known sets of values, one of the following matchers might be available:

• <field of values> includes any of <values> matches if at least one of field values is the same as one the selected values.
• <field of values> does not contain any of <values> matches if none of field values is the same as any the selected values.

For fields that contain a list of values, one of the following matchers might be available:

• <field of values> contain <value> matches if at least one of field values contains the text in the entered value.
• <field of values> does not contain <value> matches if none of field values contains the text in the entered value.

For fields with text values, one of the following matchers might be available:

• <field> starts with <value> matches if the field starts with the text in the entered value.
• <field> starts with one of <comma separated values> matches if the field starts with any of the entered comma-separated values.
• <field> ends with <value> matches if the field ends with the text in the entered value.
• <field> matches wildcard <value> matches if the field matches the entered value using filename wildcard syntax.
• <field> does not match wildcard <value> matches if the field does not match the entered value using filename wildcard syntax.
• <field> includes all of <value> matches if the field ends with the text in the entered value.

For numeric fields, one of the following matchers might be available:

• <field> is greater than <value> matches if the field is greater than the entered value.
• <field> is less than <value> matches if the field is less than the entered value.