Automate Playbook attributes

This is a list of attributes that can be used with an Automate Playbook.

To see a list of Trigger conditions, related Models, and Variables available when creating an Automate Trigger, please view this article.

Playbook Variable List

These variables can be used to customize your actions. They will be translated at runtime.

Not all variables are available during every execution. For example, if an AuditLog creation triggers this action to run, $Detection variables won't be present. If a variable is unable to be translated, it will be left as is.

Variables can be escaped with JSON or XML formatting as well, if they are embedded in custom payloads and need to be escaped. Use $JSON:Variable.name or$XML:Variable.name in place of $Variable.name to use this functionality.

All objects within an array can be selected using brace notation with ["*"]. For example, use$Model.attributes["users"]["*"]["name"] to parse to JSON object{"users": [{"name": "John Doe"}, {"name": "Jane Doe"}]} to receive both user's names.

ActivityMonitor

$ActivityMonitor.name

ActivityMonitorMatch

$ActivityMonitorMatch.file_path

$ActivityMonitorMatch.hit_at

$ActivityMonitorMatch.id

AuditLog

$AuditLog.action

$AuditLog.by_user

$AuditLog.by_user_id

$AuditLog.created_at

$AuditLog.description

CurrentTime

$CurrentTime.day_of_week_in_CST

$CurrentTime.day_of_week_in_EST

$CurrentTime.day_of_week_in_MST

$CurrentTime.day_of_week_in_PST

$CurrentTime.day_of_week_in_UTC

$CurrentTime.hour_of_day_in_CST

$CurrentTime.hour_of_day_in_EST

$CurrentTime.hour_of_day_in_MST

$CurrentTime.hour_of_day_in_PST

$CurrentTime.hour_of_day_in_UTC

Detection

$Detection.details

$Detection.full_classification_title

$Detection.headline

$Detection.human_id

$Detection.id

$Detection.ioc_network_domains

$Detection.ioc_network_ips

$Detection.ioc_process_md5s

$Detection.ioc_process_names

$Detection.ioc_process_paths

$Detection.marked_acknowledged_by

$Detection.marked_resolved_by

$Detection.url

$Detection.relevant_process_names

$Detection.root_classification

$Detection.severity

$Detection.subclassifications

Endpoint

$Endpoint.days_since_last_checkin

$Endpoint.decommissioned?

$Endpoint.endpoint_status

$Endpoint.endpoint_type

$Endpoint.hostname

$Endpoint.id

$Endpoint.last_checkin_time

$Endpoint.platform

$Endpoint.protected?

$Endpoint.reporting_tags

$Endpoint.sensor_group

$Endpoint.sensor_id

$Endpoint.short_hostname

EndpointUser

$EndpointUser.domain

$EndpointUser.reporting_tags

$EndpointUser.uid

$EndpointUser.username

$EndpointUser.username_without_domain

Event

$Event.expected_impact

$Event.id

$Event.parent_process_path

$Event.pretty_command_line

$Event.process_md5

$Event.process_path

$Event.process_sha256

$Event.publisher

$Event.started_at

$Event.url

ExternalAlert

$ExternalAlert.external_alert_source_alert_identifier

$ExternalAlert.external_alert_source_alert_url

$ExternalAlert.native_email_raw

$ExternalAlert.native_json_raw (supports JSON interpolation)

$ExternalAlert.reported_classification

$ExternalAlert.reported_severity

$ExternalAlert.responsible_reviewing_team

$ExternalAlert.risk_score

$ExternalAlert.url

$ExternalAlert.validation_state

ExternalAlertSource

$ExternalAlertSource.name

ExternalAlertSourcePlatform

$ExternalAlertSourcePlatform.display_category

$ExternalAlertSourcePlatform.display_name

Indicator

$Indicator.domain

$Indicator.id

$Indicator.ip

$Indicator.md5

$Indicator.path

$Indicator.sha1

$Indicator.sha256

$Indicator.type

Note

$Note.author_email

$Note.content

Subdomain

$Subdomain.vanity_name