Use flows in playbooks

This document explains how the Flow component directs the next steps of a playbook by using a branching system to make decisions.

The following flow options are available:

• Condition: Complex conditions based on placeholders, existing case data, and the Previous Actionss flow.
• Multi-Choice Question: Questions that analysts must answer manually.
• Previous Actions Conditions: Data retrieved from previous actions executed in the playbook.

Add a Condition flow

1. In the Playbooks screen, click Open Step Selection.
2. In Step Selection, select the Flow section.
3. Drag the condition to the step or between two actions, depending on how you're building your playbook.
4. Double-click the condition to open the dialog.
5. Select the required entities.
6. Decide how many branches you want to create. Each branch has an OR between them.
7. Select and add parameters for each branch, as follows:
   1. Select the required event/case/alert parameters or enriched data that is in your Google Security Operations platform. For new users, this is empty if you've not yet ingested any alerts.
   2. Select the required operator: Equals to/Does not equal to, Contains/Does not contain, Starts with, or Greater than/Smaller than. 
   3. Choose a value. For this example, choose three branches (where the third branch is the Branch 'Else' Default Branch.)
      In Branch 1: Blocked alerts or alerts without a threat signature; then do X (the next playbook step).
      In Branch 2: Allowed alerts with a threat signature.
      In Branch 3: The default "Else" branch.

Branch 1: Logical Operator set to Or.
Alert.CategoryOutcome = Blocked
Alert.ThreatSignature [] Empty

Branch 2: Logical Operator set to And
Alert.CategoryOutcome = Allowed
Alert. ThreatSignature ![] NotEmpty

8. Define a "fallback branch" to avoid failed conditions. If a condition is based on previous actions, and one of those actions failed (and skipped), the condition continues to the fallback branch, instead of stopping.
9. Click Save. The playbook now takes three branches: 1, 2 and E (Else). Set the outcome for at least one branch to mark the playbook as complete. To select a fallback branch, see Define a fallback branch.
   

To add a multi-choice question flow:

1. Drag the Multi-Choice Questions condition to the Final Step box.
2. Click Multi-Choice Questions to open the dialog.
3. Add a question with as many answers as needed.
4. Click Save. The playbook opens four branches. Set the outcome for at least one branch to mark it as complete.

Add a Previous Actions Conditions flow

1. Drag the Previous Actions Conditions to the Final Step box.
2. Click Previous Actions Conditions to open the dialog.
3. Decide how many branches to create. Each branch has an OR between them.
   To add a parameter:
   1. Select the required parameter. The list shows only the action script results from this playbook.
   2. Select the required operator: Equals to/Does not equal to, Contains/Does not contain, Starts with, or Greater than/Smaller than. 
   3. Choose the value (the action result).
   4. You can add more parameters to each branch and choose a logical operator: AND or OR.
      
4. Click Save. The playbook opens three branches: 1, 2, and Else. Set the outcome for at least one branch to complete the playbook.

Define a fallback branch

1. In one of the flows (Condition or Previous Actions Condition), select the branch to use as a fallback branch. This example uses Branch – not risky.
   You're not required to add a fallback branch.
2. When the playbook runs, and the previous actions fail, the playbook chooses the fallback branch and continues.

Remove a flow

When removing a flow from within a playbook, the system will ask you whether you want to remove the entire branch or just one aspect of it.

Merge branches

You can merge different branches of the playbook into one branch. To do so, drag an action from one of the branches and drop it to the Final Step of another branch. The playbook can continue after this or end here.