Use triggers in playbooks

A trigger is defined during the beginning phase of creating a playbook. It specifies the instance for which a playbook must be triggered in case of an alert detection. To add the trigger to a playbook, you must drag one of the triggers to the Drag a Trigger over here box in the Playbook designer.

When you open the **Triggers** menu, select one of the following tabs: Ingestion or Reaction.

The Ingestion tab includes the following trigger options:

• All: Triggers the playbook for every alert generated in the environment.
• Alert Type: Triggers based on the Rule Generator field configured during connector setup. For details, see Configure the connector.
• Product Name: Triggers when an alert originates from a specific product or connector.
• Tag Name: Triggers if a specific tag is added during ingestion. Manage tags in SOAR Settings > Case Data > Tags.
• Alert Trigger Value: Triggers based on a predefined field from the connector. Note: We recommend using Custom Trigger instead.
• Custom Trigger: Triggers based on custom placeholders for specific matches.
• Custom List: Triggers based on a predefined custom list in your settings.
• Network Name: Triggers if an alert involves an entity within a defined subnet.

For the list of Reaction triggers, see Use reaction triggers in playbooks.

Add a trigger to a playbook

1. Create a new playbook. For details about playbooks, see Create and edit a playbook with Gemini.
2. On the Step Selection menu, select Triggers.
3. Click Alert Type and drag it to the first step in the playbook. (For details, see Use an Alert Type trigger in a playbook).
4. Double-click it to open a new Alert Type dialog.
5. Under Parameters, select Equal, Contains, or Starts With.
6. Select the required parameter. In this use case, choose an alert type based on any alert that contains a phishing email detector.
   Once you specify the trigger parameter and save it, the parameter name appears in the trigger's description.