The trigger is the starting point that is initiated when the playbook is run & it cannot be deleted.
i) New Risk
User can likewise trigger playbook conditions automatically when risk is generated, so in “New Risk” you need to specify for which risk playbook should be triggered such as:
- Risk status: Alert status for which you want to trigger this playbook (pass or fail).
- Cloud account: Select a cloud account from the selector or type cloud account ID for which this playbook should trigger if a risk is generated
- Services: Define services that need to be checked.
- Resources: Define resources for which you want to trigger this playbook
- Tags: Tag is used to targeting resources that have the mentioned tag when a new risk is detected. Tags can be in key-value pairs e.g “department=HR” or single tag e.g HR.
- Signature: Define signature(s) (a type of violation) for which you want to trigger this playbook e.g selecting AWS-S3:001 “Bucket Versioning should be enabled” will only trigger this playbook when an AWS S3 Bucket is detected to not have versioning enabled.
Note: After setting the ‘New Risk‘ trigger, you must enable playbook status for it to be triggered automatically when risks are detected.
In the below image, when a new risk is found in service “AWS S3” for signature “S3 Bucket versioning” and in the resource input field, we have not defined any resource so this playbook will include all resources defined in the mentioned cloud account.
However, you can define one or more resources explicitly if you want. But is recommended to leave the resource input field empty. So, if any S3 bucket is detected to not have versioning enabled then this playbook will be automatically triggered
ii) Manual Trigger
If you don’t want to run playbook automatically use a manual trigger and it’s executed when the playbook is run manually by clicking on the button “Run Playbook” In the below example, we have added a manual trigger and it’s executed when the playbook is run manually
iii) Schedule Trigger
You can set the Schedule trigger in two ways:
You can initiate the playbook based on a time interval. Interval criteria:
- Every hour: Trigger the workflow every hour
It’s based on a 24-hour clock, it implies that if you saved a playbook at 4:55 PM scheduled to run hourly then it will run the playbook the first time at 5:00 PM, not at 5:55 PM and the next trigger will be at 6 PM.
- Every day: Trigger the playbook every day
It’s triggered every day as soon as the clock hits 12:00 AM
- Every week: Trigger the playbook every week
It’s triggered at the end of the week, which means every Sunday at 12:00 AM
Note: After setting schedule trigger, you must enable playbook status
If you want to trigger the playbook at a specific time then you can use CRON & you can also simply perform certain actions through the CRON script for instance if you enter in the CRON field, you input:
0 8,9,10 * * *
This expression in English means at “At minute 0 past hour 8, 9, and 10”. So the playbook will run at the scheduled time.
There are 3 more slots after the ’10’. Those slots are for (in order) the day of the month, the month, and the day of the week. So in this example, it would run every day of the month, every month, and every day of the week. To know more about CRON, click here.
Note: All time are in UTC