Alert triggers
Alert triggers run workflows automatically when detection or alerting rules generate an alert. Use alert triggers for alert enrichment, automated incident response, case creation, or notification routing.
When an alert triggers your workflow, it provides rich context data through the event field.
To set up an alert trigger, follow these steps:
-
Define an alert trigger
Create a workflow with an alert trigger:
name: Security Alert Response description: Enriches and triages security alerts enabled: true triggers: - type: alert steps: .... -
Configure the alert rule
After creating your workflow, configure your alert rule to trigger it.
- Find Rules in Stack Management or by using the global search field.
- Find or create the alerting rule you want to trigger the workflow.
- Edit the rule settings and in the Actions section, click Add action.
- Select Workflows.
- Select your workflow from the dropdown or create a new one. You can only select enabled workflows.
- Choose whether to run separate workflows for each generated alert.
- Optionally, click Add action to configure multiple workflows.
- Create or save the rule.
- Find Detection rules (SIEM) in the navigation menu or by using the global search field.
- Find or create the detection rule you want to trigger the workflow.
- Edit the rule settings and in the Actions section, select Workflows.
- Select your workflow from the dropdown or create a new one. You can only select enabled workflows.
- Choose whether to run separate workflows for each generated alert.
- Optionally, click Add action to configure multiple workflows.
- Create or save the rule.
When the configured rule generates an alert, your workflow automatically executes with the alert context.