Skip to main content
All CollectionsPlaybook Guide
Playbooks - Decision Node
Playbooks - Decision Node
Ali Murtaza avatar
Written by Ali Murtaza
Updated over 8 months ago

The playbook contains a series of Actions that execute in a sequence. But if you want to create branches in a playbook and control the flow of the playbook using IF and ELSE-based conditions, you can utilize the Decision node.

The Decision node is used in playbooks to create an if-then-else flow. It can be used to define conditions, whether TRUE or FALSE to execute the subsequent steps. The decision element addresses predictable outcomes and takes further actions in flow based on those outcomes.

Drag and Drop the Decision in the main playbook canvas and connect one or more Actions as input of the action. Then, attach the two connectors (Yes and No) from the Decision node with desired actions to define different flows.

Action

In the Decision node, you compare one value with another. The first value always comes from an output of a specific action that is chosen. This can be any Action saved within the playbook. Click on the Action dropdown to choose the Action.

Field

Identify the "Field" in the Playbook:

  • In the playbook, locate the specific "field" you wish to compare from the output of the chosen action.

Copying the Path from the Action Element:

  • To populate the "field," you must copy the path from the Action node in the playbook. Follow these steps:

    • Find the relevant Action node associated with the decision you're working with.

    • Within the Action node, look for the "filter" icon, which contains a sample of the data or value you want to use for the decision.

    • Click on the "filter" icon to access the available data paths.

Selecting the Path for Input:

  • Within the "filter" options, you can choose the data path that corresponds to the value you wish to use as input in the Decision node.

  • This path might lead to data from previous actions, user inputs, or external sources.

  • Applying the Path to the "Field" in the Decision node:

  • Return to the Decision node in your playbook.

  • Paste the copied path from the Action node into the designated "field" where you want to use it as an input.

Save and Review:

  • Ensure that you save your changes in the playbook.

  • Review the playbook to confirm that the selected path is correctly integrated into the decision-making process.

Available Comparative Operators (Condition)

You can compare the first value (output from the action) with the second value using different operators:

  • Equal To

  • Not Equal

  • Less Than

  • Greater Than

  • Less Than or Equal To

  • Greater Than or Equal To

  • Begins With

  • Doesn’t Begin With

  • Contains

  • Doesn’t Contain

  • Ends with

  • Doesn’t End With

  • Is Null

  • Is not Null

Value

The value field contains the value that you wish to compare against the output of the chosen Action. E.g. If Verdict (from get_url_otx_info) equals Malicious

Here:

  • get_url_otx_info is the Action from which we want to fetch the output

  • Verdict is the field that we have chosen from the Action's output

  • equal is the conditional operator

  • Malicious is the value that one wants to compare against.

We can also define complex “OR” and “AND” based on nested conditions in the Decision box. Just click on the + icon to add new sections.

Once the playbook reaches the Decision node during execution, if the defined condition is found to be TRUE for a certain input, the playbook will follow the Yes flow and execute all subsequent Actions in that flow.

If the defined condition is found to be FALSE for a certain input, the playbook will follow the NO flow and execute all subsequent Actions in that flow.

Example:

In this example, we are executing a playbook where the reputation of the IP address is first checked on AbuseIPDB. Then in the Decision node, we check if the Confidence Score returned from ABuseIPDB is greater than our defined threshold. If so, then we deem that the IP is malicious. Hence in the YES flow the playbook is set to block that IP on FortiGate Firewall, and an email notification will be sent out to the firewall administrator.

The Abuse confidence score from AbuseIPDB for the IP is 69/100

Thus the condition in the decision box is TRUE for this output.

The playbook proceeds to block the IP on the Fortigate Firewall and sends an email notification

Note: Whenever the result of a Decision Element is True, it forwards only those values to the next actions in which the Conditional decision was True.

For example, if the Decision box was supplied with 5 IP addresses to check the reputational score. The Decision box will forward only those IP addresses to the next Actions (Block IP and Send Email Notification) that were found to be malicious (abuseConfidenceScore >5). The remaining IPs (where the condition was False) are discarded.

Did this answer your question?