Trigger variables for Automate
Below is a list of the Trigger conditions, related Models, and Variables available when creating an Automate Trigger.
Please note that these trigger conditions are different from the attributes used with Playbooks. You can view the available Playbook attributes here or by choosing "Show list" when editing your Playbook. Please ensure there is no whitespace in the tags.
Note: Red Canary observes Daylight Saving Time (DST) except in Coordinated Universal Time (UTC)
Trigger condition |
Model |
Variable |
threat_published |
Threat |
severity |
threat_published |
Threat |
root_classification |
threat_published |
Threat |
subclassifications |
threat_published |
Threat |
ioc_process_paths |
threat_published |
Threat |
ioc_process_names |
threat_published |
Threat |
ioc_process_md5s |
threat_published |
Threat |
ioc_network_domains |
threat_published |
Threat |
ioc_network_ips |
threat_published |
Threat |
relevant_process_names |
threat_published |
Endpoint |
platform |
threat_published |
Endpoint |
endpoint_type |
threat_published |
Endpoint |
hostname |
threat_published |
Endpoint |
short_hostname |
threat_published |
Endpoint |
sensor_group |
threat_published |
Endpoint |
reporting_tags |
threat_published |
Endpoint |
endpoint_status |
threat_published |
Endpoint |
decommissioned? |
threat_published |
Endpoint |
days_since_last_checkin |
threat_published |
EndpointUser |
username |
threat_published |
EndpointUser |
username_without_domain |
threat_published |
EndpointUser |
domain |
threat_published |
EndpointUser |
uid |
threat_published |
EndpointUser |
reporting_tags |
threat_published |
CurrentTime |
day_of_week_in_EST |
threat_published |
CurrentTime |
hour_of_day_in_EST |
threat_published |
CurrentTime |
day_of_week_in_MST |
threat_published |
CurrentTime |
hour_of_day_in_MST |
threat_published |
CurrentTime |
day_of_week_in_UTC |
threat_published |
CurrentTime |
hour_of_day_in_UTC |
threat_published |
CurrentTime |
day_of_week_in_PST |
threat_published |
CurrentTime |
hour_of_day_in_PST |
threat_published |
CurrentTime |
day_of_week_in_CST |
threat_published |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
threat_remediated |
Threat |
severity |
threat_remediated |
Threat |
root_classification |
threat_remediated |
Threat |
subclassifications |
threat_remediated |
Threat |
ioc_process_paths |
threat_remediated |
Threat |
ioc_process_names |
threat_remediated |
Threat |
ioc_process_md5s |
threat_remediated |
Threat |
ioc_network_domains |
threat_remediated |
Threat |
ioc_network_ips |
threat_remediated |
Threat |
relevant_process_names |
threat_remediated |
Endpoint |
platform |
threat_remediated |
Endpoint |
endpoint_type |
threat_remediated |
Endpoint |
hostname |
threat_remediated |
Endpoint |
short_hostname |
threat_remediated |
Endpoint |
sensor_group |
threat_remediated |
Endpoint |
reporting_tags |
threat_remediated |
Endpoint |
endpoint_status |
threat_remediated |
Endpoint |
decommissioned? |
threat_remediated |
Endpoint |
days_since_last_checkin |
threat_remediated |
EndpointUser |
username |
threat_remediated |
EndpointUser |
username_without_domain |
threat_remediated |
EndpointUser |
domain |
threat_remediated |
EndpointUser |
uid |
threat_remediated |
EndpointUser |
reporting_tags |
threat_remediated |
CurrentTime |
day_of_week_in_EST |
threat_remediated |
CurrentTime |
hour_of_day_in_EST |
threat_remediated |
CurrentTime |
day_of_week_in_MST |
threat_remediated |
CurrentTime |
hour_of_day_in_MST |
threat_remediated |
CurrentTime |
day_of_week_in_UTC |
threat_remediated |
CurrentTime |
hour_of_day_in_UTC |
threat_remediated |
CurrentTime |
day_of_week_in_PST |
threat_remediated |
CurrentTime |
hour_of_day_in_PST |
threat_remediated |
CurrentTime |
day_of_week_in_CST |
threat_remediated |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
threat_not_remediated |
Threat |
severity |
threat_not_remediated |
Threat |
root_classification |
threat_not_remediated |
Threat |
subclassifications |
threat_not_remediated |
Threat |
ioc_process_paths |
threat_not_remediated |
Threat |
ioc_process_names |
threat_not_remediated |
Threat |
ioc_process_md5s |
threat_not_remediated |
Threat |
ioc_network_domains |
threat_not_remediated |
Threat |
ioc_network_ips |
threat_not_remediated |
Threat |
relevant_process_names |
threat_not_remediated |
Endpoint |
platform |
threat_not_remediated |
Endpoint |
endpoint_type |
threat_not_remediated |
Endpoint |
hostname |
threat_not_remediated |
Endpoint |
short_hostname |
threat_not_remediated |
Endpoint |
sensor_group |
threat_not_remediated |
Endpoint |
reporting_tags |
threat_not_remediated |
Endpoint |
endpoint_status |
threat_not_remediated |
Endpoint |
decommissioned? |
threat_not_remediated |
Endpoint |
days_since_last_checkin |
threat_not_remediated |
EndpointUser |
username |
threat_not_remediated |
EndpointUser |
username_without_domain |
threat_not_remediated |
EndpointUser |
domain |
threat_not_remediated |
EndpointUser |
uid |
threat_not_remediated |
EndpointUser |
reporting_tags |
threat_not_remediated |
CurrentTime |
day_of_week_in_EST |
threat_not_remediated |
CurrentTime |
hour_of_day_in_EST |
threat_not_remediated |
CurrentTime |
day_of_week_in_MST |
threat_not_remediated |
CurrentTime |
hour_of_day_in_MST |
threat_not_remediated |
CurrentTime |
day_of_week_in_UTC |
threat_not_remediated |
CurrentTime |
hour_of_day_in_UTC |
threat_not_remediated |
CurrentTime |
day_of_week_in_PST |
threat_not_remediated |
CurrentTime |
hour_of_day_in_PST |
threat_not_remediated |
CurrentTime |
day_of_week_in_CST |
threat_not_remediated |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
threat_acknowledged |
Threat |
severity |
threat_acknowledged |
Threat |
root_classification |
threat_acknowledged |
Threat |
subclassifications |
threat_acknowledged |
Threat |
ioc_process_paths |
threat_acknowledged |
Threat |
ioc_process_names |
threat_acknowledged |
Threat |
ioc_process_md5s |
threat_acknowledged |
Threat |
ioc_network_domains |
threat_acknowledged |
Threat |
ioc_network_ips |
threat_acknowledged |
Threat |
relevant_process_names |
threat_acknowledged |
Endpoint |
platform |
threat_acknowledged |
Endpoint |
endpoint_type |
threat_acknowledged |
Endpoint |
hostname |
threat_acknowledged |
Endpoint |
short_hostname |
threat_acknowledged |
Endpoint |
sensor_group |
threat_acknowledged |
Endpoint |
reporting_tags |
threat_acknowledged |
Endpoint |
endpoint_status |
threat_acknowledged |
Endpoint |
decommissioned? |
threat_acknowledged |
Endpoint |
days_since_last_checkin |
threat_acknowledged |
EndpointUser |
username |
threat_acknowledged |
EndpointUser |
username_without_domain |
threat_acknowledged |
EndpointUser |
domain |
threat_acknowledged |
EndpointUser |
uid |
threat_acknowledged |
EndpointUser |
reporting_tags |
threat_acknowledged |
CurrentTime |
day_of_week_in_EST |
threat_acknowledged |
CurrentTime |
hour_of_day_in_EST |
threat_acknowledged |
CurrentTime |
day_of_week_in_MST |
threat_acknowledged |
CurrentTime |
hour_of_day_in_MST |
threat_acknowledged |
CurrentTime |
day_of_week_in_UTC |
threat_acknowledged |
CurrentTime |
hour_of_day_in_UTC |
threat_acknowledged |
CurrentTime |
day_of_week_in_PST |
threat_acknowledged |
CurrentTime |
hour_of_day_in_PST |
threat_acknowledged |
CurrentTime |
day_of_week_in_CST |
threat_acknowledged |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
audit_log_created |
AuditLog |
description |
audit_log_created |
AuditLog |
by_user_id |
audit_log_created |
AuditLog |
action |
audit_log_created |
CurrentTime |
day_of_week_in_EST |
audit_log_created |
CurrentTime |
hour_of_day_in_EST |
audit_log_created |
CurrentTime |
day_of_week_in_MST |
audit_log_created |
CurrentTime |
hour_of_day_in_MST |
audit_log_created |
CurrentTime |
day_of_week_in_UTC |
audit_log_created |
CurrentTime |
hour_of_day_in_UTC |
audit_log_created |
CurrentTime |
day_of_week_in_PST |
audit_log_created |
CurrentTime |
hour_of_day_in_PST |
audit_log_created |
CurrentTime |
day_of_week_in_CST |
audit_log_created |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
activity_monitor_match_found |
CurrentTime |
day_of_week_in_EST |
activity_monitor_match_found |
CurrentTime |
hour_of_day_in_EST |
activity_monitor_match_found |
CurrentTime |
day_of_week_in_MST |
activity_monitor_match_found |
CurrentTime |
hour_of_day_in_MST |
activity_monitor_match_found |
CurrentTime |
day_of_week_in_UTC |
activity_monitor_match_found |
CurrentTime |
hour_of_day_in_UTC |
activity_monitor_match_found |
CurrentTime |
day_of_week_in_PST |
activity_monitor_match_found |
CurrentTime |
hour_of_day_in_PST |
activity_monitor_match_found |
CurrentTime |
day_of_week_in_CST |
activity_monitor_match_found |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
endpoint_status_changed |
Endpoint |
platform |
endpoint_status_changed |
Endpoint |
endpoint_type |
endpoint_status_changed |
Endpoint |
hostname |
endpoint_status_changed |
Endpoint |
short_hostname |
endpoint_status_changed |
Endpoint |
sensor_group |
endpoint_status_changed |
Endpoint |
reporting_tags |
endpoint_status_changed |
Endpoint |
endpoint_status |
endpoint_status_changed |
Endpoint |
decommissioned? |
endpoint_status_changed |
Endpoint |
days_since_last_checkin |
endpoint_status_changed |
CurrentTime |
day_of_week_in_EST |
endpoint_status_changed |
CurrentTime |
hour_of_day_in_EST |
endpoint_status_changed |
CurrentTime |
day_of_week_in_MST |
endpoint_status_changed |
CurrentTime |
hour_of_day_in_MST |
endpoint_status_changed |
CurrentTime |
day_of_week_in_UTC |
endpoint_status_changed |
CurrentTime |
hour_of_day_in_UTC |
endpoint_status_changed |
CurrentTime |
day_of_week_in_PST |
endpoint_status_changed |
CurrentTime |
hour_of_day_in_PST |
endpoint_status_changed |
CurrentTime |
day_of_week_in_CST |
endpoint_status_changed |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
note_added_to_threat |
CurrentTime |
day_of_week_in_EST |
note_added_to_threat |
CurrentTime |
hour_of_day_in_EST |
note_added_to_threat |
CurrentTime |
day_of_week_in_MST |
note_added_to_threat |
CurrentTime |
hour_of_day_in_MST |
note_added_to_threat |
CurrentTime |
day_of_week_in_UTC |
note_added_to_threat |
CurrentTime |
hour_of_day_in_UTC |
note_added_to_threat |
CurrentTime |
day_of_week_in_PST |
note_added_to_threat |
CurrentTime |
hour_of_day_in_PST |
note_added_to_threat |
CurrentTime |
day_of_week_in_CST |
note_added_to_threat |
CurrentTime |
hour_of_day_in_CST |
Trigger condition |
Model |
Variable |
endpoint_days_since_last_checkin |
Endpoint |
platform |
endpoint_days_since_last_checkin |
Endpoint |
endpoint_type |
endpoint_days_since_last_checkin |
Endpoint |
hostname |
endpoint_days_since_last_checkin |
Endpoint |
short_hostname |
endpoint_days_since_last_checkin |
Endpoint |
sensor_group |
endpoint_days_since_last_checkin |
Endpoint |
reporting_tags |
endpoint_days_since_last_checkin |
Endpoint |
endpoint_status |
endpoint_days_since_last_checkin |
Endpoint |
decommissioned? |
endpoint_days_since_last_checkin |
Endpoint |
days_since_last_checkin |
Trigger condition |
Model |
Variable |
new_ioc_created |
Indicator |
path |
new_ioc_created |
Indicator |
domain |
new_ioc_created |
Indicator |
ip |
new_ioc_created |
Indicator |
md5 |
new_ioc_created |
Indicator |
sha256 |
new_ioc_created |
Indicator |
sha1 |
new_ioc_created |
Indicator |
type |
new_ioc_created |
Threat |
severity |
new_ioc_created |
Threat |
root_classification |
new_ioc_created |
Threat |
subclassifications |
new_ioc_created |
Threat |
ioc_process_paths |
new_ioc_created |
Threat |
ioc_process_names |
new_ioc_created |
Threat |
ioc_process_md5s |
new_ioc_created |
Threat |
ioc_network_domains |
new_ioc_created |
Threat |
ioc_network_ips |
new_ioc_created |
Threat |
relevant_process_names |
new_ioc_created |
Endpoint |
platform |
new_ioc_created |
Endpoint |
endpoint_type |
new_ioc_created |
Endpoint |
hostname |
new_ioc_created |
Endpoint |
short_hostname |
new_ioc_created |
Endpoint |
sensor_group |
new_ioc_created |
Endpoint |
reporting_tags |
new_ioc_created |
Endpoint |
endpoint_status |
new_ioc_created |
Endpoint |
decommissioned? |
new_ioc_created |
Endpoint |
days_since_last_checkin |
new_ioc_created |
EndpointUser |
username |
new_ioc_created |
EndpointUser |
username_without_domain |
new_ioc_created |
EndpointUser |
domain |
new_ioc_created |
EndpointUser |
uid |
new_ioc_created |
EndpointUser |
reporting_tags |
Trigger condition |
Model |
Variable |
event_created |
Event |
process_path |
event_created |
Event |
parent_process_path |
event_created |
Event |
pretty_command_line |
event_created |
Event |
publisher |
event_created |
Event |
process_md5 |
event_created |
Event |
process_sha256 |
event_created |
Event |
expected_impact |
event_created |
Endpoint |
platform |
event_created |
Endpoint |
endpoint_type |
event_created |
Endpoint |
hostname |
event_created |
Endpoint |
short_hostname |
event_created |
Endpoint |
sensor_group |
event_created |
Endpoint |
reporting_tags |
event_created |
Endpoint |
endpoint_status |
event_created |
Endpoint |
decommissioned? |
event_created |
Endpoint |
days_since_last_checkin |
event_created |
EndpointUser |
username |
event_created |
EndpointUser |
username_without_domain |
event_created |
EndpointUser |
domain |
event_created |
EndpointUser |
uid |
event_created |
EndpointUser |
reporting_tags |
Trigger condition |
Model |
Variable |
external_alert_is_ingested |
ExternalAlert |
external_alert_source_alert_identifier |
external_alert_is_ingested |
ExternalAlert |
external_alert_source_alert_url |
external_alert_is_ingested |
ExternalAlert |
reported_severity |
external_alert_is_ingested |
ExternalAlert |
reported_classification |
external_alert_is_ingested |
ExternalAlert |
native_json_raw |
external_alert_is_ingested |
ExternalAlert |
native_email_raw |
external_alert_is_ingested |
ExternalAlert |
risk_score |
external_alert_is_ingested |
ExternalAlert |
responsible_reviewing_team |
external_alert_is_ingested |
ExternalAlertSource |
name |
external_alert_is_ingested |
ExternalAlertSourcePlatform |
display_name |
external_alert_is_ingested |
ExternalAlertSourcePlatform |
display_category |
Trigger condition |
Model |
Variable |
external_alert_validation_state_change |
ExternalAlert |
validation_state |
external_alert_validation_state_change |
ExternalAlert |
external_alert_source_alert_identifier |
external_alert_validation_state_change |
ExternalAlert |
external_alert_source_alert_url |
external_alert_validation_state_change |
ExternalAlert |
reported_severity |
external_alert_validation_state_change |
ExternalAlert |
reported_classification |
external_alert_validation_state_change |
ExternalAlert |
native_json_raw |
external_alert_validation_state_change |
ExternalAlert |
native_email_raw |
external_alert_validation_state_change |
ExternalAlert |
risk_score |
external_alert_validation_state_change |
ExternalAlert |
responsible_reviewing_team |
external_alert_validation_state_change |
ExternalAlertSource |
name |
external_alert_validation_state_change |
ExternalAlertSourcePlatform |
display_name |
external_alert_validation_state_change |
ExternalAlertSourcePlatform |
display_category |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
external_alert_source_alert_identifier |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
external_alert_source_alert_url |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
reported_severity |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
reported_classification |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
native_json_raw |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
native_email_raw |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
risk_score |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlert |
responsible_reviewing_team |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlertSource |
name |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlertSourcePlatform |
display_name |
external_alert_hasnt_been_correlated_for_24_hours |
ExternalAlertSourcePlatform |
display_category |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
external_alert_source_alert_identifier |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
external_alert_source_alert_url |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
reported_severity |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
reported_classification |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
native_json_raw |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
native_email_raw |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
risk_score |
external_alert_responsible_reviewing_team_changed |
ExternalAlert |
responsible_reviewing_team |
external_alert_responsible_reviewing_team_changed |
ExternalAlertSource |
name |
external_alert_responsible_reviewing_team_changed |
ExternalAlertSourcePlatform |
display_name |
external_alert_responsible_reviewing_team_changed |
ExternalAlertSourcePlatform |
display_category |
Comments
0 comments
Please sign in to leave a comment.