- Incident Responder Release Notes
- Get Started with Incident Responder
- Configure Incident Responder Settings
- Core Settings
- Analytics Settings
- Configure Services
- Prerequisites for Configuring Incident Responder Microsoft Services with OAuth2.0 Authentication
- Configure the Amazon Elastic Compute Cloud (EC2) Service
- Configure the Anomali ThreatStream API Service
- Configure the Atlassian Jira Service
- Configure the BMC Remedy Service
- Configure the Check Point Firewall Service
- Configure the Cisco AMP for Endpoints Service
- Configure the Cisco Services Engine (ISE) Service
- Configure the Cisco Threat Grid Service
- Configure the Cisco Umbrella Enforcement Service
- Configure the Cisco Umbrella Investigate Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CrowdStrike Falcon Host API Service Service
- Configure the CyberArk Service
- Configure the Cylance Protect Service
- Configure the Exabeam Advanced Analytics Service
- Configure the Exabeam Cloud Search Service
- Configure the Exabeam DL Service
- Configure the FireEye HX Service
- Configure the Fortinet Service
- Configure the Google Gmail Service
- Configure the IntSights Cyber Intelligence Ltd. Service
- Configure the IRNotificationSMTPService Service
- Configure the Microsoft Active Directory (AD) (Latest) Service
- Configure the Microsoft Exchange Service
- Configure the Microsoft Outlook Office 365 Service
- Configure the Microsoft Windows Defender ATP Service
- Configure the Microsoft Windows Management Instrumentation Service
- Configure the Netskope Service
- Configure the Okta Service
- Configure the Palo Alto Networks Firewall Service
- Configure the Palo Alto Networks Wildfire Service
- Configure the Rapid7 insightVM Service
- Configure the SentinelOne Service
- Configure the SentinelOneV2 Service
- Configure the Service Now Service
- Configure the Slack Service
- Configure the SlashNext Service
- Configure the Splunk Service
- Configure the ThreatConnect API Service
- Configure the Urlscan.io API Service
- Configure the VirusTotal Service
- Configure the Zscaler Service
- Test a Service
- Edit a Service
- Disable a Service
- Upload a Custom Service
- Delete a Custom Service
- Create an Email Template for the Notify by Email Action
- Respond to Security Incidents
Create a Playbook Trigger
For a playbook to run automatically, define which circumstances and conditions trigger the playbook. You define a playbook trigger from the PLAYBOOKS page, or when you create or edit a playbook.
You can create a playbook trigger only if you're assigned an Incident Responder seat.
If you manually create an incident, playbooks aren't triggered.
In the sidebar, click PLAYBOOKS
, or create or edit a playbook.Click Add trigger to playbook.:
On the PLAYBOOKS page, select the clock
for an existing playbook in the list.If you're creating or editing a playbook, select the clock
.
Click + Trigger.
Select the situation that triggers the playbook:
Incident Created – When a playbook triggers and creates an incident.
Status Changed – When someone changes an incident's status.
Priority Changed – When someone changes an incident's priority.
Queue Changed – When someone is assigned to another queue.
Assignee Changed – When someone changes who's assigned to an incident.
Incident Type Changed – When an incident's type changes, manually or automatically.
To add a condition to the situation, select + Condition. If the situation occurs and the condition is met, the playbook runs. These conditions are based on incident fields, default or custom.
(Optional) To add another condition, click + ADD.
Click SAVE.