- 11 Jan 2024
- 4 Minutes to read
The UserAction Trigger
- Updated on 11 Jan 2024
- 4 Minutes to read
A Trigger is an event that initiates the actions defined within a Playbook. The UserAction Trigger in ThreatConnect® allows you to run Playbooks on demand from the Details screen of Groups, Indicators, Intelligence Requirements (IRs), Tracks, and Victims. You can also run UserAction Trigger–based Playbooks for Indicators while using Threat Graph. This Trigger is contextually aware and user driven, and it allows a customized response.
Before You Start
|Playbooks enabled by a System Administrator
Creating a New UserAction Trigger
- On the top navigation bar, click Playbooks to display the Playbooks screen.
- Create a new Playbook or open an existing one.
- ClickTriggers on the side navigation bar of the Playbook Designer to view all available Triggers (Figure 1).
- Select UserAction from the External menu to add a UserAction Trigger to the design pane (Figure 2).
- Hashtagicon: Hover the cursor over this icon at the upper-left corner of the Trigger in the design pane to display a scrollable list of output variables, which are values that the Trigger can send to other Apps and Operators.
- Informationicon: Hover the cursor over this icon at the upper-left corner of the Trigger in the design pane to display the object type(s) configured to run the Trigger, the Trigger’s timeout length, and whether the Run as current user checkbox is selected.
- Menuicon: Click this icon at the upper-right corner of the Trigger box to display a menu with options to edit, disable, clone, or delete the Trigger.
- Double-click the Trigger. The Configure section of the Edit Trigger pane will be displayed on the left side of the screen (Figure 3).NoteClick the Display Documentationicon at the upper-right corner of the Edit Trigger pane to view information about the Trigger, including a description of the Trigger, its input parameters, and its output variables.
- User Action Name: Enter a name for the Trigger. This name will be displayed on the Playbook Actions card of the Details screen for the object type(s) selected from the Type dropdown menu.
- Type: Select the type(s) of objects that can use the Trigger. Available object types include all Group types, all Indicator types, IRs, Tracks, and Victims.
- Timeout: By default, the Trigger’s timeout length (that is, the amount of time the Trigger can run before timing out) is set to 5 minutes. Click in the box to edit this value, if desired.
- Run as current user: Select this checkbox to execute the Playbook under the name of the user that initiated the execution from the Playbook Actions card on the Details screen of an object rather than the user selected in the Run As dropdown list of the Settingsmenu at the upper-right corner of the Playbook Designer.NoteIf you select the Run as current user checkbox, the Run As dropdown list will be disabled under the Settingsmenu at the upper-right corner of the Playbook Designer and replaced with the text “Overridden by UserAction.”
- Click the NEXT button.
- The Response Body section of the Edit Trigger pane will be displayed (Figure 4). The Response Body is the message you will see after the Playbook execution is complete.
- Render as Tip: Select this checkbox to display the text entered in the Body section as a pop-up tooltip in the Playbook Actions card on the Details screen after the Playbook execution is complete. If this checkbox is not selected, the text will be displayed in the Status column of the Playbook Actions card.
- Body: Enter the text that will be the Trigger’s response when it is run.NoteYou can use variables in the Response Body parameter.
- Click the SAVE button.
The Get VirusTotal Results Playbook (Figure 5) includes a UserAction Trigger configured for File Indicators. After setting the Playbook’s status to Active, you can execute the Playbook from a File Indicator’s Details screen and view VirusTotal™ results on this screen. In this example, the Trigger is named “Get VirusTotal Results.”
Executing the Playbook
If viewing the new Details screen for a File Indicator, click Run playbookin the Playbooks card (Figure 6) on the right side of the Overview tab to execute the Playbook. A message stating “Starting playbook...” will be displayed at the lower-left corner of the screen.
If viewing the legacy Details screen for a File Indicator, click Runin the Playbooks Actions card (Figure 7) at the top right of the Overview tab to execute the Playbook.
If the Trigger's Render as Tip checkbox was selected, the results of the Playbook’s execution will be displayed as a tooltip in the card. Otherwise, only a status of Completed will be displayed in the Status column for the Playbook. For more information about how statuses are displayed on each card, see the “Playbooks with a UserAction Trigger” section of Executing a Playbook.
If viewing the File Indicator in Threat Graph, you can execute the Playbook from the File Indicator node’s contextual menu or the Details table. For further instruction on executing Playbooks in Threat Graph, see Running Playbooks in Threat Graph.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.