Playbooks: The UserAction Trigger

Last Updated: Nov 20, 2018 02:13PM EST


The Playbooks UserAction Trigger allows ThreatConnect® users to run Playbooks on demand from the Details screen of Indicators, Groups, Tracks, or Victims. This Trigger is contextually aware and user driven, and it allows a customized response (HTTP or Plain Text).

Creating a New UserAction Trigger

  1. On the top navigation bar (Figure 1), click PLAYBOOKS to display the Playbooks screen (Figure 2).
  2. Create a new Playbook or open an existing Playbook (see Playbooks) and navigate to the Trigger menu on the left-hand side of the Playbook Designer (Figure 3).
  3. Select UserAction from the External menu, and a new UserAction Trigger will appear (Figure 4).
  4. Double click the Trigger, and the Edit Trigger: UserAction configuraton options will appear on the left-hand side of the screen (Figure 5).
  5. To view the Display Notes, which include a description of what the Trigger does and definitions of its input parameters and output variables, toggle the Display Notes slider at the top right (Figure 6). To hide the Display Notes, toggle the slider again.
  6. Enter a name for the Trigger in the User Action Name field, and then, under the Type field, use the dropdown menu to select the Indicators, Groups, Tracks, or Victims to which it will apply. Multiple types may be chosen. Click the NEXT button to configure the Response Body (Figure 7).
  7. In the Body section, enter the text (HTTP or Plain Text) that will be the Trigger's response when it is run. Click the Render as Tip checkbox to have the text entered in the Body section appear as a pop-up tooltip in the Playbook Actions card on the Details screen for the chosen Indicator(s), Group(s), Track(s), or Victim(s).
    NOTE: HTML can be used in the Response Body.
  8. Click the SAVE button.


The Get VirusTotal Results Playbook (Figure 8) employs the UserAction Trigger to display results from VirusTotal on the Details screen for Hosts, URLs, and Addresses. In this example, the Trigger has been named Get VirusTotal Results.

To view the results of the Playbook, set the status of the Playbook to Active and then navigate to the Details screen for a Host, URL, or Address Indicator (Figure 9).

  1. >

The top right of the Overview screen shows a card called Playbook Actions. Click the Play button to run the Playbook. Because the Render as Tip checkbox was selected, Playbook results appear as a tooltip (Figure 10).

20055-02 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found