Automate Playbook attributes
This is a list of attributes that can be used with an Automate Playbook.
To see a list of Trigger conditions, related Models, and Variables available when creating an Automate Trigger, please view this article.
Playbook Variable List
These variables can be used to customize your actions. They will be translated at runtime.
Not all variables are available during every execution. For example, if an AuditLog creation triggers this action to run, $Detection variables won't be present. If a variable is unable to be translated, it will be left as is.
Variables can be escaped with JSON or XML formatting as well, if they are embedded in custom payloads and need to be escaped. Use $JSON:Variable.name
or$XML:Variable.name
in place of $Variable.name
to use this functionality.
All objects within an array can be selected using brace notation with ["*"]
. For example, use$Model.attributes["users"]["*"]["name"]
to parse to JSON object{"users": [{"name": "John Doe"}, {"name": "Jane Doe"}]}
to receive both user's names.
ActivityMonitor
$ActivityMonitor.name
ActivityMonitorMatch
$ActivityMonitorMatch.file_path
$ActivityMonitorMatch.hit_at
$ActivityMonitorMatch.id
AuditLog
$AuditLog.action
$AuditLog.by_user
$AuditLog.by_user_id
$AuditLog.created_at
$AuditLog.description
CurrentTime
$CurrentTime.day_of_week_in_CST
$CurrentTime.day_of_week_in_EST
$CurrentTime.day_of_week_in_MST
$CurrentTime.day_of_week_in_PST
$CurrentTime.day_of_week_in_UTC
$CurrentTime.hour_of_day_in_CST
$CurrentTime.hour_of_day_in_EST
$CurrentTime.hour_of_day_in_MST
$CurrentTime.hour_of_day_in_PST
$CurrentTime.hour_of_day_in_UTC
Detection
$Detection.details
$Detection.full_classification_title
$Detection.headline
$Detection.human_id
$Detection.id
$Detection.ioc_network_domains
$Detection.ioc_network_ips
$Detection.ioc_process_md5s
$Detection.ioc_process_names
$Detection.ioc_process_paths
$Detection.marked_acknowledged_by
$Detection.marked_resolved_by
$Detection.url
$Detection.relevant_process_names
$Detection.root_classification
$Detection.severity
$Detection.subclassifications
Endpoint
$Endpoint.days_since_last_checkin
$Endpoint.decommissioned?
$Endpoint.endpoint_status
$Endpoint.endpoint_type
$Endpoint.hostname
$Endpoint.id
$Endpoint.last_checkin_time
$Endpoint.platform
$Endpoint.protected?
$Endpoint.reporting_tags
$Endpoint.sensor_group
$Endpoint.sensor_id
$Endpoint.short_hostname
EndpointUser
$EndpointUser.domain
$EndpointUser.reporting_tags
$EndpointUser.uid
$EndpointUser.username
$EndpointUser.username_without_domain
Event
$Event.expected_impact
$Event.id
$Event.parent_process_path
$Event.pretty_command_line
$Event.process_md5
$Event.process_path
$Event.process_sha256
$Event.publisher
$Event.started_at
$Event.url
ExternalAlert
$ExternalAlert.external_alert_source_alert_identifier
$ExternalAlert.external_alert_source_alert_url
$ExternalAlert.native_email_raw
$ExternalAlert.reported_classification
$ExternalAlert.reported_severity
$ExternalAlert.responsible_reviewing_team
$ExternalAlert.risk_score
$ExternalAlert.url
$ExternalAlert.validation_state
ExternalAlertSource
$ExternalAlertSource.name
ExternalAlertSourcePlatform
$ExternalAlertSourcePlatform.display_category
$ExternalAlertSourcePlatform.display_name
Indicator
$Indicator.domain
$Indicator.id
$Indicator.ip
$Indicator.md5
$Indicator.path
$Indicator.sha1
$Indicator.sha256
$Indicator.type
Note
$Note.author_email
$Note.content
Subdomain
$Subdomain.vanity_name
Comments
0 comments
Please sign in to leave a comment.