Learn how to create and add a playbook trigger to an alert.
A playbook trigger is a filter on an alert that creates conditions, so if an alert with specific characteristics is created (for example by source, severity, or MITRE TTP), a suitable response is issued via a playbook. This saves the analyst time and expense when investigating an alert.
In the Playbook Triggers page, you can create a playbook trigger, add a recommended playbook trigger, view all playbook triggers, and change the order of priority.
Important
Playbook triggers only apply to alerts that are grouped into incidents by the system. Most alerts with low and informational security do not allow a playbook to be automatically executed on them. However, you can manually run a playbook on low severity alerts.
After you create a playbook trigger, the trigger is added to the Playbook Triggers table. In the Playbook Triggers table, you can do the following:
Set the priority of the playbook triggers, so when an alert is ingested, the first trigger takes priority, then the second, third, etc.
All recommended playbook triggers that are added (from the incident or the trigger table) are added to the top of the Playbook Triggers table. New triggers created manually are added to the bottom of the table.
View details of the triggers that have been created.
By default, you can see the playbook name and trigger criteria, the playbook, and the creation dates and source. You can add columns and filters as required. When right-clicking a playbook trigger, you can edit the trigger, and the playbook, delete, copy, or copy text.