This condition evaluates to True when it finds databases with triggers that have been created with the past hour.
The results returned are number of triggers in a database that meet the condition (Value) and the name of the database that has the created triggers (Key).
If the condition evaluates to True, run the following query against the database(s) in the result set to get a list of all triggers created today:
SELECT t.[name] as [trigger name],
t.is_instead_of_trigger as [is instead of],
SCHEMA_NAME(s.schema_id) as [parent schema],
OBJECT_NAME(t.parent_id) as [parent object],
o.type_desc as [parent type],
t.create_date
FROM sys.triggers t
JOIN sys.objects o
ON o.object_id = t.parent_id
JOIN sys.schemas s ON o.schema_id = s.schema_id
WHERE t.create_date >= (SELECT CONVERT(DATE,GETDATE()))
ORDER BY t.create_date DESC;
An Execute SQL action can also be used to automatically email a list to you.
See Also:
https://docs.sentryone.com/help/github-advisory-conditions