Add an Automation Wizard

Automations Automated procedures that are executed as the result of a trigger. Automations consist of a single entry point and a sequence of connected nodes that define the processing logic. associate triggers A set of one or more indicators that have been correlated based on certain relationships, such as time, metric type, application affected, location, or network device. with runbooks An automated workflow that executes a series of steps or tasks in response to a triggered event, such as the detection of anomalous behavior generating an incident, a lifecycle event, or a manually executed runbook., causing a runbook to execute an investigation in response to a trigger, based on user-defined conditional criteria.

To define a new automation:

1. Click Add an Automation on the Automation Management page, either after a trigger category (following the cards for the trigger types) or at the top of the list of automations for a trigger type. The Add an Automation wizard appears.

2. Choose a trigger type from the pulldown menu on the Select Trigger page, then click Next.

   Note: The trigger pulldown is validated for the current trigger category, listing trigger types for that category only (i.e., if you're working with incident triggers, the pulldown will not list lifecycle triggers).

3. Specify one or more conditions that will cause the automation to execute when the conditions are matched, using the condition building tools provided. Click Next when you're finished.

4. Specify the runbook to execute when the conditions are matched. You can choose an existing runbook or click Create New Runbook to launch the Runbook Editor and define a new runbook. Click Next when you're done specifying the runbook to execute.

5. On the Finalize Automation page, type a name for the automation and a brief description of it. Also, you need to specify the Order in which the automation will be executed for the trigger type.
   Each automation must have a unique Order number for the trigger type; you cannot have two or more automations for a trigger type with the same Order number. If you create a new automation and assign it Order 1, all existing automations for that trigger type will be decreased in order (i.e., the previous Order 1 will become Order 2, and so forth down the list for that trigger type).
   The first automation that is matched for an incident or lifecycle trigger, according to the defined condition, is the automation that will execute for that trigger type. This means that, when more than one automation is defined for a trigger type, the first in order should have extremely specific and restrictive conditional criteria, with successive automations having increasingly broad and permissive conditional criteria.

6. Click Submit to complete the definition of the automation.