Automation Rules
Use the Automation Rules tab to view the rules that have been created, the type of rule, who created the rule, and when it was last modified.
Manage Rules
-
To modify an existing rule, click the name of the rule.
-
Click the Off/on toggle switch to enable or disable the rule. If an enabled rule is showing a Started-polling status in the associated workflow's properties, then when you disable the rule, its status changes to Stopped-polling.
-
Click the
(Ellipsis) icon in the Actions column and Delete to delete a rule, which will also remove it as a trigger from any workflow associated with the rule.
Rule Type
For rules of incident type, you have the option to group them together and arrange them in order of priority.
Incident Rules
Under Rule Type, click Incident Rules to view two tables:
The top table, Priority Incident Rules, lists the rules of incident type that have been prioritized.
The bottom table, Standalone Incident Rules, lists rules of incident type that have not been prioritized.
-
You can reorder the rules by dragging and dropping them or by using the Actions menu to move them up or down. This top-down order allows higher-priority rules to be evaluated, and their associated workflows can be triggered, before others.
-
It's possible for a single event to trigger multiple rules, if the conditions in those rules are met. So by prioritizing rules in a group, you also gain the option to stop processing additional rules. This helps avoid having multiple rules and their associated workflows be triggered by the same event.
-
Stop processing - If you don't want to process any rules listed under this rule in the priority list, switch this toggle on to stop further processing.
-
To verify that the rules are executing by design, you can look for their workflow executions on the Runs page, or go to the Workflows page and click View Runs for the workflow in question. Note that rule priority will not work if you have multiple rules assigned to the same workflow.
-
The maximum number of incident rules that can be prioritized is 25.
For more information, see the Incident Rule Help topic.
Other Rules
Under Rule Type, click Other Rules to list all other types of rules.
-
To find a specific rule, enter a keyword or name in the Search text box.
-
You can also select the type of rule you want displayed in the table from the Type drop-down list.
Configure Rules
To add a trigger to a workflow, configure a new or existing rule and associate it with the workflow.
-
Choose Automate > Triggers in the navigation menu
-
In the Automation Rules tab, click Add Automation Rule to create a new rule.
-
In the General section, click the Type drop-down list and choose one type of rule:
-
(Optional) You can limit when a rule's workflows would be run by adding a condition to the rule in which you specify a calendar. Then, only events that happen within (or outside of) this window and pattern of time can trigger the rule to execute its associated workflows. When creating or editing the rule, add a condition with the following:
Property - Choose a date-time field such as Timestamp or Event Received Time.
Comparison - Choose either During or Not During to check whether the date-time is within or outside of the parameters defined in the calendar.
Value - Choose a previously-configured or new calendar.
Note: When configuring rules, keep in mind that it is possible for a single event to trigger multiple rules, if the conditions in those rules are met. We recommend that you configure exclusive rules to avoid having multiple rules and their associated workflows be triggered by the same event.
Workflow Properties
After you enable or create a rule, it is displayed in the Automation Rules section of the associated workflow's properties.
Open the workflow in the Workflow Editor, and scroll down the Workflow Properties until you see Automation Rules.
You can click on the rule name to view or edit and save the rule. You can click a rule's toggle switch to turn the rule-workflow association either on or off. When a rule's toggle switch is clicked to on, the association between the rule and this workflow is activated, so that this workflow is enabled to automatically run when the rule conditions are met.
The table below shows the possible statuses of the legacy triggers that have been deprecated and what they mean.
| Status | Description |
|---|---|
| Created | The trigger was created but has not started listening for events yet. |
| Started-polling | The trigger is running normally and waiting for events. |
| Stopped-polling | The trigger is disabled. |
| Paused-polling | The trigger is paused due to rate-limiting. |
| Errored | The trigger encountered an error and is not running. This could be due a configuration issue with the trigger or related targets. Verify the configuration and try disabling/re-enabling the trigger. |
| Update-in-progress | A change has been made to the trigger and is currently being saved. |
| Disabled | The trigger is disabled. |
Workflow Status
In order for an associated workflow to run, the workflow must be in a valid state (the validation button should say Validated in the Workflow Editor).
The status of an executed workflow, such as when it started and failed or completed, gets added to Incidents > View Incident Detail > Worklog > Notes. For example:
Thresholds and Limits
The system automatically aggregates the number of times external triggers are used across workflows.
External events can trigger workflows up to 5,000 times per day (within each 24-hour period based on UTC time). This threshold is cumulative across all external event type triggers. When 90% of the daily limit is reached, you receive a notification in the XDR header. This limit does not apply to other workflow execution methods such as clicking the Run button or using a schedule.