Playbooks: The UserAction Trigger

Last Updated: May 23, 2019 08:22PM EDT
A Playbook that has been created


The Playbooks UserAction Trigger allows ThreatConnect® users to run Playbooks on demand from the Details screen of Indicators, Groups, Tracks, or Victims. This Trigger is contextually aware and user driven, and it allows a customized response (HTTP or Plain Text).

Creating a New UserAction Trigger

  1. On the top navigation bar (Figure 1), click Playbooks to display the Playbooks tab of the Playbooks screen (Figure 2).
  2. Create a new Playbook or open an existing Playbook (see Playbooks), and click the + TRIGGER button on the left-hand side of the Playbook Designer to view all available Triggers (Figure 3).
  3. Select UserAction from the External menu, and a new UserAction Trigger will appear (Figure 4).
  4. Double click the Trigger, and the Edit Trigger configuraton options will appear on the left-hand side of the screen (Figure 5).
    • User Action Name: Enter a name for the Trigger. This name will be displayed on the Playbook Actions card on the Details screen of the object.
    • Type: Use the dropdown menu to select the type(s) of Indicators, Groups, Tracks, or Victims to which the Trigger will apply.
    • Run as current user: When this checkbox is selected, the Playbook will execute under the name of the user that initiated the execution from the Playbook Actions card on the Details screen of an object rather than the user selected in the “Run As” dropdown list of the Settings menu at the top right of the Playbook Designer.
    • Click the NEXT button.
  5. The configuration options for the Response Body will appear (Figure 6). The Response Body is the message that will display to the user after the Playbook has run.
    • Render as Tip: Select this checkbox to have the text entered in the Body section appear as a pop-up tooltip in the Playbook Actions card on the Details screen for the chosen Indicator(s), Group(s), Track(s), or Victim(s). If this checkbox is not selected, the text will appear in the Status column of the Playbook Actions card.
    • Body: Enter the text (HTTP or Plain Text) that will be the Trigger’s response when it is run.

      NOTE: HTML and Variables can be used in the Response Body.

    • Click the SAVE button.
  6. If the Run as current user checkbox was selected, then the “Run As” dropdown list will be disabled under the Settings menu at the top right of the Playbook Designer and replaced with the text “Overridden by UserAction” (Figure 7).


The Get VirusTotal Results Playbook (Figure 8) employs the UserAction Trigger to display results from VirusTotal on the Details screen for Hosts, URLs, and Addresses. In this example, the Trigger has been named “Get VirusTotal Results.”

To view the results of the Playbook, set the status of the Playbook to Active and then navigate to the Details screen for a Host, URL, or Address Indicator (Figure 9).

The top right of the Overview screen shows the Playbook Actions card. Click the Play button to run the Playbook. Because the Render as Tip checkbox was selected, Playbook results appear as a tooltip (Figure 10). In this figure, the Escalate Playbook was also run. For this Trigger, the Render as Tip checkbox was not selected, so the “Escalated!” response appears in the Status column instead of as a tooltip.

20055-03 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found