The playbook contains a series of Actions that execute in a sequence. But if you want to create branches in a playbook and control the flow of the playbook using IF and ELSE-based conditions, you can utilize the Decision node.
The Decision node is used in playbooks to create an if-then-else flow. It can be used to define conditions, whether TRUE or FALSE to execute the subsequent steps. The decision element addresses predictable outcomes and takes further actions in flow based on those outcomes.
Table of Contents |
|
| |
| |
| |
|
Drag and Drop the Decision in the main playbook canvas and connect one or more Actions as input of the action. Then, attach the two connectors (Yes and No) from the Decision node with desired actions to define different flows.
Action
In the Decision node, you compare one value with another. The first value always comes from an output of a specific action that is chosen. This can be any Action saved within the playbook. Click on the Action dropdown to choose the Action.
Field
Identify the "Field" in the Playbook:
In the playbook, locate the specific "field" you wish to compare from the output of the chosen action.
Copying the Path from the Action Element:
To populate the "field," you must copy the path from the Action node in the playbook. Follow these steps:
Find the relevant Action node associated with the decision you're working with.
Within the Action node, look for the "filter" icon, which contains a sample of the data or value you want to use for the decision.
Click on the "filter" icon to access the available data paths.
Selecting the Path for Input:
Within the "filter" options, you can choose the data path that corresponds to the value you wish to use as input in the Decision node.
This path might lead to data from previous actions, user inputs, or external sources.
Applying the Path to the "Field" in the Decision node:
Return to the Decision node in your playbook.
Paste the copied path from the Action node into the designated "field" where you want to use it as an input.
Save and Review:
Ensure that you save your changes in the playbook.
Review the playbook to confirm that the selected path is correctly integrated into the decision-making process.
Available Comparative Operators (Condition)
You can compare the first value (output from the action) with the second value using different operators:
Equal To
Not Equal
Less Than
Greater Than
Less Than or Equal To
Greater Than or Equal To
Begins With
Doesn’t Begin With
Contains
Doesn’t Contain
Ends with
Doesn’t End With
Is Null
Is not Null
Value
The value field contains the value that you wish to compare against the output of the chosen Action. E.g. If Verdict (from get_url_otx_info) equals Malicious
Here:
get_url_otx_info is the Action from which we want to fetch the output
Verdict is the field that we have chosen from the Action's output
equal is the conditional operator
Malicious is the value that one wants to compare against.
We can also define complex “OR” and “AND” based on nested conditions in the Decision box. Just click on the + icon to add new sections.
Once the playbook reaches the Decision node during execution, if the defined condition is found to be TRUE for a certain input, the playbook will follow the Yes flow and execute all subsequent Actions in that flow.
If the defined condition is found to be FALSE for a certain input, the playbook will follow the NO flow and execute all subsequent Actions in that flow.
Example:
In this example, we are executing a playbook where the reputation of the IP address is first checked on AbuseIPDB. Then in the Decision node, we check if the Confidence Score returned from ABuseIPDB is greater than our defined threshold. If so, then we deem that the IP is malicious. Hence in the YES flow the playbook is set to block that IP on FortiGate Firewall, and an email notification will be sent out to the firewall administrator.
The Abuse confidence score from AbuseIPDB for the IP is 69/100
Thus the condition in the decision box is TRUE for this output.
The playbook proceeds to block the IP on the Fortigate Firewall and sends an email notification
Note: Whenever the result of a Decision Element is True, it forwards only those values to the next actions in which the Conditional decision was True.
For example, if the Decision box was supplied with 5 IP addresses to check the reputational score. The Decision box will forward only those IP addresses to the next Actions (Block IP and Send Email Notification) that were found to be malicious (abuseConfidenceScore >5). The remaining IPs (where the condition was False) are discarded.