Conditions Native Action

overview the conditions native action enables you to introduce if/else logic into your playbooks, executing different paths based on the evaluation of specific criteria this action supports the customization and automation of playbooks by visually representing decision making flows key concepts condition a set of criteria that, when evaluated, determines which path the workflow follows true path (if) the path executed when a condition evaluates to true false path (else) the optional path executed when no conditions evaluate to true condition builder the visual interface for creating and configuring conditions getting started prerequisites before using the conditions native action, ensure you have access to playbook creation and editing understanding of your data structure and available properties basic knowledge of the playbook workflow steps to add and configure condition from the add panel, drag and drop the condition action onto the playbook canvas the true and false branches will automatically appear click edit condition to open the window that allows you to enter the logic for your conditional statement if your data has any sensitive information, you can mark it as sensitive by clicking the contains sensitive data checkbox the data is not shown in the ui or in the logs click apply to save changes true and false logic when you drag and drop a condition native action onto the playbook canvas, the true and false flows automatically display true (if) if the condition is met, the workflow follows the true path false (else) if the condition is not met, the workflow follows the false path using the condition builder the condition builder provides a visual interface for creating conditions follow these steps to create your first condition in the playbook area, drag and drop the condition builder into your workflow use the right side menu to click on the edit condition option, opening the condition builder dialog box in the dialog box, click create your first condition to begin configuration from the dialog's right hand options, choose a property to evaluate open the operator dropdown and select an operator based on your needs note new conditions is defined and is not defined are available in the condition builder, enabling you to check whether a specific field has a value or is empty is defined verifies that a field is filled or contains valid data is not defined identifies fields that are empty or missing these conditions are particularly valuable for creating rules where the presence or absence of data is crucial, such as validating inputs or filtering results you can also choose from other operators based on the property's data type (see the docid\ tqwf237gdn0gs f7wjsdh section for a complete list) if the operator requires a comparison value, enter it in the provided field save the condition and test it within your playbook to ensure it operates as intended your first condition example here's a simple example to get started goal route high severity incidents to a different action path drag and drop the condition action onto your playbook canvas click edit condition click create your first condition select property severity choose operator is equal to enter value high click apply to save configure the true path to execute your high priority action optionally configure an else path for other severities test the condition with sample data common use cases use case 1 severity based routing route incidents to different teams based on severity level configuration condition 1 severity == "critical" → critical response team condition 2 severity == "high" → high priority team condition 3 severity == "medium" → standard team else low priority queue use case 2 time based actions execute different actions based on when an incident was created configuration condition 1 createdat is in the previous 1 hour → immediate response condition 2 createdat is in the previous 24 hours → standard response else archive and review use case 3 status validation ensure incidents meet certain criteria before processing configuration condition group (and) status == "open" and assignedto is not null and priority > 5 true path process incident else queue for assignment use case 4 threat detection trigger automated responses for security threats configuration condition group (and) category == "security" and ( severity == "high" or severity == "critical" ) and indicators contains "malicious domain com" true path automated containment else standard investigation use case 5 data validation validate data before processing to prevent errors configuration condition requiredfield is defined and email matches (regex pattern) true path process data else send validation error how conditions work basic flow when a condition action executes, it evaluates one or more conditions sequentially if a condition evaluates to true , the workflow follows the associated action path if no conditions evaluate to true and an else path is configured, the workflow follows the else path if no conditions match and no else path is configured, the condition action completes without executing any path evaluation order conditions are evaluated in the order they are configured the first condition that evaluates to true determines the path taken subsequent conditions are not evaluated once a match is found multiple conditions behavior understanding multiple conditions a single condition action can contain multiple conditions each condition can route to a different action path important multiple conditions behave like an if else if else chain conditions are evaluated sequentially from first to last the first condition that evaluates to true determines the path once a condition matches, evaluation stops (no further conditions are checked) if no conditions match, the else path is taken (if configured) example multiple conditions scenario route incidents based on severity level condition 1 if severity == "critical" → execute "critical response" action condition 2 if severity == "high" → execute "high priority response" action condition 3 if severity == "medium" → execute "standard response" action else execute "low priority response" action execution flow if severity is "critical", only condition 1 is evaluated and matched if severity is "high", condition 1 is evaluated (false), then condition 2 is evaluated and matched if severity is "low", all three conditions are evaluated (all false), then the else path is taken when to use multiple conditions use multiple conditions when you need to route to different actions based on different values of the same property create priority based routing (e g , high → medium → low) handle multiple discrete cases that don't require complex logic available comparison operators the condition builder provides different operators based on the data type of the property being evaluated operators are automatically filtered based on the selected property's type base operators (available for all types) these operators are available regardless of the data type operator description use case is null checks if the property value is null validating required fields, checking for missing data is not null checks if the property value is not null ensuring data exists before processing string operators available when evaluating string properties operator description case sensitive use case is equal to exact string match yes matching exact values like status codes is equal to (case insensitive) exact string match ignoring case no matching values regardless of capitalization is not equal to string does not match yes excluding specific values is not equal to (case insensitive) string does not match ignoring case no excluding values regardless of case matches regular expression pattern match yes pattern matching, validation matches (case insensitive) regular expression pattern match ignoring case no case insensitive pattern matching does not match regular expression pattern does not match yes excluding patterns does not match (case insensitive) regular expression pattern does not match ignoring case no case insensitive pattern exclusion is defined checks if the property has a value (not null, not undefined, not empty) n/a validating field presence is not defined checks if the property is empty or missing n/a checking for missing or empty fields numeric operators available when evaluating numeric properties operator description use case is equal to exact numeric match matching specific numeric values is not equal to numeric value does not match excluding specific values is greater than value is greater than the comparison value threshold checks, minimum requirements is greater than or equal to value is greater than or equal to the comparison value inclusive threshold checks is less than value is less than the comparison value maximum limits, upper bounds is less than or equal to value is less than or equal to the comparison value inclusive maximum limits is defined checks if the property has a numeric value validating numeric field presence is not defined checks if the property is empty or missing checking for missing numeric values date/time operators available when evaluating date/time properties operator description use case is equal to exact date/time match matching specific dates/times is not equal to date/time does not match excluding specific dates/times is after date/time is after the comparison value future date checks, expiration validation is on or after date/time is on or after the comparison value inclusive future date checks is before date/time is before the comparison value past date checks, creation date validation is on or before date/time is on or before the comparison value inclusive past date checks is sometime in the past date/time is in the past (relative) general past date validation is in the previous date/time is within a previous time period (e g , "last 5 minutes") recent past events, time windows is sometime in the future date/time is in the future (relative) general future date validation is in the next date/time is within a future time period (e g , "next 5 minutes") upcoming events, time windows is defined checks if the property has a date/time value validating date/time field presence is not defined checks if the property is empty or missing checking for missing date/time values boolean operators available when evaluating boolean properties operator description use case is true property value is true checking for true conditions, flags is false property value is false checking for false conditions, negated flags is defined checks if the property has a boolean value validating boolean field presence is not defined checks if the property is empty or missing checking for missing boolean values string array operators available when evaluating string array properties operator description case sensitive use case contains array contains the specified string yes checking if an array includes a value contains (case insensitive) array contains the specified string ignoring case no case insensitive array membership check does not contain array does not contain the specified string yes excluding arrays with specific values does not contain (case insensitive) array does not contain the specified string ignoring case no case insensitive exclusion check is defined checks if the property has an array value validating array field presence is not defined checks if the property is empty or missing checking for missing array values numeric array operators available when evaluating numeric array properties operator description use case contains array contains the specified number checking if an array includes a numeric value does not contain array does not contain the specified number excluding arrays with specific numeric values is defined checks if the property has an array value validating array field presence is not defined checks if the property is empty or missing checking for missing array values object operators available when evaluating object properties operator description use case equals deep equality comparison of objects comparing complex objects not equals objects are not equal excluding specific object structures is defined checks if the property has an object value validating object field presence is not defined checks if the property is empty or missing checking for missing object values string list operators available when evaluating properties that can match against a list of strings operator description case sensitive use case is equal to value matches one of the list items yes matching against predefined lists is equal to (case insensitive) value matches one of the list items ignoring case no case insensitive list matching is not equal to value does not match any list items yes excluding values from a list is not equal to (case insensitive) value does not match any list items ignoring case no case insensitive list exclusion condition groups and and/or logic understanding condition groups condition groups allow you to combine multiple criteria within a single condition using and/or logic this is different from multiple conditions (which use sequential if else logic) condition groups vs multiple conditions feature multiple conditions condition groups logic type sequential if else if else and/or boolean logic evaluation first match wins, stops evaluation all criteria evaluated together use case routing to different actions complex validation requiring multiple criteria structure separate conditions, each routes to different action single condition with grouped criteria and logic when using and logic, all criteria in the group must evaluate to true for the condition to be true example condition group (and) \ severity == "high" and \ status == "open" and \ priority > 5 → all three must be true for the condition to match or logic when using or logic, any criterion in the group that evaluates to true makes the condition true example condition group (or) \ severity == "critical" or \ severity == "high" or \ priority > 8 → any one being true makes the condition match combining and and or you can create nested condition groups to combine and and or logic example condition group (and) \ (severity == "high" or severity == "critical") and \ status == "open" and \ (priority > 5 or assignedto != null) this condition matches when severity is high or critical, and status is open, and priority is greater than 5 or the incident is assigned when to use condition groups use condition groups when you need to validate multiple criteria simultaneously create complex boolean logic ensure all conditions must be met (and) or any condition can be met (or) use multiple conditions when you need to route to different actions based on different values create priority based routing handle discrete cases limitations sequential evaluation only conditions are evaluated sequentially, not in parallel evaluation stops at the first match no loops conditions cannot create loops or recursive logic each condition evaluates once per execution property access only properties available in the current playbook context can be evaluated nested properties require proper path notation operator availability operators are filtered based on data type some operators may not be available for all data types complex expressions complex calculations should be done in transformation actions before conditions conditions are best for simple comparisons and validations performance large numbers of conditions may impact performance consider breaking complex logic into multiple condition actions