A job triggered by delta in a feed (event triggered job) runs when a feed has completed an operation and there is a change in the content. You can define a job to trigger a playbook when the specified feed or feeds finish a fetch operation that included a modification to the feed. The modification can be a new indicator, a modified indicator, or a removed indicator. For example, you may want to update your firewall every time a URL is added, modified, or removed from the Office 365 feed.
Note
A job triggered by delta in a feed runs only if there is a change in the feed, and does not run on a feed’s initial fetch. If this is the initial fetch, you can run the playbook manually the first time and then set up an event triggered job for subsequent fetches.
If you want to trigger a job after a feed completes a fetch operation, and the feed does not change frequently, you can select the Reset last seen option in the feed integration instance. The next time the feed fetches indicators, it will process them as new indicators in the system.
Select → → → .
Select Triggered by delta in feed.
In the TRIGGERS section, select one of the following:
Any feed: The playbook runs when a modification is made to any feed.
Specific feeds: Select the feed instances that triggers the playbook to run when a modification is made to the specified feed instances.
In the BASIC INFORMATION section add the following parameters:
Parameter
Description
Name
Enter a meaningful name for the job.
Owner
Assign an owner to the job run.
Playbook
Determine which playbook to run when the job is triggered.
Description
Enter a meaningful description for the job.
Create the new job.
The job is added to the job runs table. Click the job to see details, Work Plan and in the War Room take action as required,