Skip to main content
Skip table of contents

‎Investigation Playbook Triggers

LAST UPDATED: JAN 10, 2025

On Playbook Start

Frame 74 (2)-20250110-200013.png

Executes tasks either during the playbook’s test run or after the playbook is added to an incident— via utility commands, the Escalate playbook task, the playbook automation widget, or the Group 9 (1).png button.

Relevant Utility Commands

Commands used to for event-incident correlation:

Example - Notifying a Manager

SCENARIO A manager has requested to be notified whenever an incident is created. To fulfill this request, the analyst will perform the following tasks.

Task 1: Add the Send Email Utility Command

The analyst will begin by adding the Send Email utility command task to the On Playbook Start trigger in an investigation playbook.

  1. Add the Send Email utility command to the trigger.

    send email on playbook start.gif

  2. Configure the fields as necessary.

    Group 10 (1).png

    1. Enter the task name.

    2. Input the manager’s email address.

    3. Enter the email subject.

    4. Enter the email body containing a static message combined with the dynamically retrieved incident number.

      CODE 
      {{ "A new incident has been created: " ~ (PlaybookData | jsonpath('$.DataSource.incident.IncidentNo')) }}

  3. Check the Auto Run checkbox, then click on the Group 12.png button to save.

    Group 11.png

  4. Click on the Submit button, then confirm the playbook submission.

    Group 13.png

  5. Click on the Publish button, select a site to which to publish the playbook, then click on the Save button.

    Group 14.png

Task 2: Use the Investigation Playbook in a Preprocessing Playbook

After publishing the investigation playbook, the analyst will use it in an escalate task within a preprocessing playbook. They have already completed most of the preprocessing playbook workflow, with only the escalate task remaining to be configured.

  1. Click into the escalate task.

    Group 20.png

  2. Configure the fields as necessary.

    Group 16.png

    1. Enter the task name.

    2. Select an incident type.

    3. Select the previously created investigation playbook.

  3. Check the Auto Run checkbox, then click on the Group 18.png button to save.

    Group 17.png

RESULT

Whenever a new incident is created through the preprocessing playbook, the investigation playbook configured in task 1 will execute automatically.

Group 21.png

On Incident Close

Executes tasks after:

  • Manually closing an incident

  • Manually performing batch closures of incidents

  • Closing incidents using utility commands, either manually or automatically

Relevant Utility Commands

Commands for closing one incident:

Commands for closing multiple incidents:

Frame 75 (3)-20250110-200216.png

On Playbook Task Error

Frame 68 (9)-20250110-195027.png

Executes tasks when a current-level task or nested playbook command encounters an error.

Send Email Example

  1. Create a Codeless Playbook utility command.

    Frame 56 (7)-20250110-002910.png

  2. Setup a task that would result in an error.

    Frame 57 (11)-20250110-004014.png

  3. Enable its use as a command task.

    Frame 60 (6)-20250110-011541.png

  4. Use a image 6 (5)-20250110-020837.png passdown task to emit an error message to the parent playbook.

    Frame 62 (15)-20250110-020555.png

  5. Submit this utility command.

    Frame 58 (6)-20250110-004926.png

  6. Create an incident (investigation) playbook.

    Frame 59 (7)-20250110-011805.png

  7. Set up the Demo Nested Playbook Utility Command task.

    Frame 63 (13)-20250110-021551.png

READER NOTE

Ensure that the Error Trigger checkbox is ticked.

Frame 66 (11)-20250110-192902.png

  1. Set up a Send Email utility command task for the On Playbook Task Error trigger.

    Frame 64 (13)-20250110-022452.png

  2. Test run this playbook, ensuring that the Demo Nested Playbook Utility Command task results in , and the Send Email task results in .

  3. Check the email for the error message.

    Frame 65 (17)-20250110-023018.png

Common use cases include notifying relevant stakeholders of task failures and automatically retrying the task.

On Incident Reopen

Executes tasks whenever a previously closed incident (i.e. Status: Closed) is manually or automatically reopened (i.e. Status: Open).

Relevant Utility Commands

Commands for updating the incident status to Open:

Frame 69 (7)-20250110-195200.png

On Incident Change

Frame 70 (6)-20250110-195310.png

Executes tasks whenever changes are made to the content within the Overview section of the incident workspace.

List of Incident Change Actions

  • Changing the site

  • Changing the title

  • Changing the severity

  • Changing the owner

  • Changing the date occurred

  • Changing the disposition

  • Changing the incident type

  • Changing the date ended

  • Adding a custom field

  • Modifying a custom field’s value

  • Deleting a custom field

  • Adding a description

  • Modifying a description

  • Deleting a description

  • Adding a conclusion

  • Modifying a conclusion

  • Deleting a conclusion

  • Adding a Tactic & Technique / Adversary Lifecycle

  • Deleting a Tactic & Technique / Adversary Lifecycle

  • Adding a playbook

  • Deleting a playbook

  • Adding investigation team members

  • Deleting investigation team members

  • Adding files

  • Deleting files

  • Adding notes

  • Modifying notes

  • Deleting notes

  • Inputting dynamic field values

  • Modifying/Clearing and saving dynamic field values

  • Adding a JSON table

  • Modifying a JSON table

  • Deleting a JSON table

  • Adding tags

  • Deleting tags

On Incident Status Change

Executes tasks whenever an incident's status transitions between the following states:

  • Open

  • In Progress

  • On Hold

Relevant Utility Commands

Commands for changing the incident status:

Common use cases:

  • Automatically assign tasks based on the new status

  • Notify relevant stakeholders of the status change

Frame 71 (6)-20250110-195440.png

On Incident External Action

Frame 72 (5)-20250110-195610.png

Executes tasks when the Trigger Incident External Action utility command identifies an incident that matches a specific search criteria—facilitating cross-incident automation and coordination.

The On Incident External Action workflows of all playbooks associated with the first matching incident will be executed.

Example

  1. Create a Demo Trigger investigation playbook with an auto-running task connected to the On Incident External Action trigger.

    Frame 76 (5)-20250110-201041.png

  2. Submit the playbook.

    Frame 77 (9)-20250110-201630.png

  3. Publish the playbook.

    Frame 78 (14)-20250110-202652.png

  4. Create three incident having the following characteristics:

    1. Title: Demo Incident 1, 2, or 3

    2. Type: Suspicious Network Activity

    3. Severity: Medium

      Frame 79 (7)-20250110-203418.png

  5. Ensure the Demo Trigger investigation playbook is attached to each incident.

    Frame 82 (5)-20250110-214923.png

  6. Navigate to the Trigger Incident External Action utility command.

    Frame 81 (5)-20250110-204745.png

  7. Test the utility command with the following for the Search Condition input parameter:

    JSON 
    {
    "Type": "Suspicious Network Activity",
    "Severity": "Medium",
    "Title": {
        "$regex": "Demo Incident"
    }
}
    Frame 83 (8)-20250110-220153.png

  8. Verify that the Demo Trigger playbook has completed execution only within the first incident (Demo Incident 1).

    Frame 86 (5)-20250110-221928.png
    Frame 85 (7)-20250110-221219.png

On Investigation Change

Executes tasks whenever summary, findings, remediations & mitigations, and recommendations data within the Investigation tab of the incident workspace changes.

Common use cases:

  • Notifying the team of new evidence

  • Re-evaluating the incident based on updated investigation details

Frame 73 (5)-20250110-195743.png
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close