Use flows in playbooks

Supported in:

Google secops SOAR

This document explains how the Flow component directs the next steps of a playbook by using a branching system to make decisions.

Condition flows are essential for allowing a playbook to automatically make decisions—routing a case down different paths based on incoming alert data, previous action results, or user input.

The following flow options are available:

Condition: Complex conditions based on placeholders, existing case data, and the Previous Actions flow.
Multi-Choice Question: Questions that analysts must answer manually.
Previous Actions Conditions: Data retrieved from previous actions executed in the playbook.

Add Condition flows

This section describes how to use Condition flows to create dynamic, branching logic within your playbooks.

Add a single Condition flow

To add a single Condition flow, follow these steps:

On the Response > Playbooks page, click Open Step Selection.
In Step Selection, select the Flow section.
Drag the condition to the step or between two actions, depending on how you're building your playbook.
Double-click the condition to open the dialog.
Select the required entities.
Decide how many branches you want to create. Each branch has an OR between them.
Select and add parameters for each branch, as follows:
1. Select the required event/case/alert parameters or enriched data that is in your Google Security Operations platform. For new users, this is empty if you've not yet ingested any alerts.
2. Select the required operator: Equals to/Does not equal to, Contains/Does not contain, Starts with, or Greater than/Smaller than.
3. Choose a value. For this example, choose three branches (where the third branch is the Branch Else Default Branch.)
Define a "fallback branch" to avoid failed conditions. If a condition is based on previous actions, and one of those actions failed (and skipped), the condition continues to the fallback branch, instead of stopping. To select a fallback branch, see Define a fallback branch.
Click Save. The playbook now takes three branches: 1, 2, and E (Else).
Set the outcome for (at least) one branch to mark the playbook as complete.

Add a multi-choice question flow

Drag the Multi-Choice Questions condition to the Final Step box.
Click Multi-Choice Questions to open the dialog.
Add a question with as many answers as needed.
Click Save. The playbook opens four branches.
Set the outcome for at least one branch to mark it as complete.

Add a Previous Actions Conditions flow

To add a Previous Actions Conditions flow, follow these steps:

Drag the Previous Actions Conditions to the Final Step box.
Click Previous Actions Conditions to open the dialog.
Decide how many branches to create. Each branch has an OR between them.
Add a parameter: Select the required parameter. The list shows only the action script results from this playbook.
Select the required operator: Equals to/Does not equal to, Contains/Does not contain, Starts with, or Greater than/Smaller than.
Choose the value (the action result).
You can add more parameters to each branch and choose a logical operator: AND or OR.
Click Save. The playbook opens three branches: 1, 2, and Else.
Set the outcome for at least one branch to complete the playbook.

Define a fallback branch

In one of the flows (Condition or Previous Actions Condition), select the branch to use as a fallback branch. This example uses Branch – not risky.
You're not required to add a fallback branch.
When the playbook runs, and the previous actions fail, the playbook chooses the fallback branch and continues.

Remove a flow

When removing a flow from within a playbook, the system prompts you to remove the entire branch or just one aspect of it.

Merge branches

You can merge different branches of the playbook into one branch. To do so, drag an action from one of the branches and drop it to the Final Step box of another branch. The playbook can continue after this or end here.

Need more help? Get answers from Community members and Google SecOps professionals.