This document explains how the Flow component directs the next steps of a
playbook by using a branching system to make decisions.
The following flow options are available:
Condition: Complex conditions based on placeholders, existing case data,
and the Previous Actionss flow.
Multi-Choice Question: Questions that analysts must answer manually.
Previous Actions Conditions: Data retrieved from previous actions
executed in the playbook.
Add a Condition flow
In the Playbooks screen, click Open Step Selection.
In Step Selection, select the Flow section.
Drag the condition to the step or between two actions, depending
on how you're building your playbook.
Double-click the condition to open the dialog.
Select the required entities.
Decide how many branches you want to create. Each branch has an OR
between them.
Select and add parameters for each branch, as follows:
Select the required event/case/alert parameters or enriched data that is
in your Google Security Operations platform. For new users, this is empty
if you've not yet ingested any alerts.
Select the required operator: Equals to/Does not equal to, Contains/Does
not contain, Starts with, or Greater than/Smaller than.
Choose a value. For this example, choose three
branches (where the third branch is the Branch 'Else'
Default Branch.) In Branch 1: Blocked alerts or alerts without a
threat signature; then do X (the next playbook step). In Branch 2:
Allowed alerts with a threat signature. In Branch 3: The default "Else" branch.
Branch 1: Logical Operator set to
Or. Alert.CategoryOutcome =
Blocked Alert.ThreatSignature [] Empty
Branch 2: Logical Operator set to
And Alert.CategoryOutcome =
Allowed Alert. ThreatSignature ![] NotEmpty
Define a "fallback branch" to avoid failed conditions. If a
condition is based on previous actions, and one of those actions failed (and
skipped), the condition continues to the fallback branch, instead of
stopping.
Click Save. The playbook now takes three branches: 1, 2 and E (Else).
Set the outcome for at least one branch to mark the playbook as complete.
To select a fallback branch, see Define a fallback branch.
To add a multi-choice question flow:
Drag the Multi-Choice Questions condition to the Final Step box.
Click Multi-Choice Questions to open the dialog.
Add a question with as many answers as needed.
Click Save. The playbook opens four branches. Set the outcome for at
least one branch to mark it as complete.
Add a Previous Actions Conditions flow
Drag the Previous Actions Conditions to the Final Step box.
Click Previous Actions Conditions to open the dialog.
Decide how many branches to create. Each branch has an OR between
them. To add a parameter:
Select the required parameter. The list shows only the action script
results from this playbook.
Select the required operator: Equals to/Does not equal to, Contains/Does
not contain, Starts with, or Greater than/Smaller than.
Choose the value (the action result).
You can add more parameters to each branch and choose a logical
operator: AND or OR.
Click Save. The playbook opens three branches: 1, 2, and Else.
Set the outcome for at least one branch to complete the playbook.
Define a fallback branch
In one of the flows (Condition or Previous Actions Condition), select the
branch to use as a fallback branch. This example uses
Branch
–
not risky. You're not required to add a fallback branch.
When the playbook runs, and the previous actions fail, the playbook
chooses the fallback branch and continues.
Remove a flow
When removing a flow from within a playbook, the system will ask you whether
you want to remove the entire branch or just one aspect of it.
Merge branches
You can merge different branches of the playbook into one branch. To do so,
drag an action from one of the branches and drop it to the Final
Step of another branch. The playbook can continue after this or end here.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eFlow components in Google SecOps playbooks direct the next steps using a branching system.\u003c/p\u003e\n"],["\u003cp\u003eThe three available Flow options are Condition (based on complex criteria), Multi Choice Question (manual analyst input), and Previous Actions Conditions (based on previous action data).\u003c/p\u003e\n"],["\u003cp\u003eUsers can create multiple branches within a Condition or Previous Actions flow, with each branch linked by an OR operator and can be customized using various parameters and logical operators.\u003c/p\u003e\n"],["\u003cp\u003eA fallback branch can be designated in Condition or Previous Actions flows to handle failed conditions, ensuring the playbook continues smoothly.\u003c/p\u003e\n"],["\u003cp\u003eBranches can be merged by dragging an action from one branch and dropping into the Final Step of another branch.\u003c/p\u003e\n"]]],[],null,["# Use flows in playbooks\n======================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document explains how the Flow component directs the next steps of a\nplaybook by using a branching system to make decisions.\n\n\nThe following flow options are available:\n\n- **Condition** : Complex conditions based on placeholders, existing case data, and the **Previous Actions**s flow.\n- **Multi-Choice Question**: Questions that analysts must answer manually.\n- **Previous Actions Conditions**: Data retrieved from previous actions executed in the playbook.\n\nAdd a Condition flow\n--------------------\n\n1. In the **Playbooks** screen, click **Open Step Selection**.\n2. In **Step Selection** , select the **Flow** section.\n3. Drag the condition to the step or between two actions, depending on how you're building your playbook.\n4. Double-click the condition to open the dialog.\n5. Select the required entities.\n6. Decide how many branches you want to create. Each branch has an *OR* between them.\n7. Select and add parameters for each branch, as follows:\n 1. Select the required event/case/alert parameters or enriched data that is in your Google Security Operations platform. For new users, this is empty if you've not yet ingested any alerts.\n 2. Select the required operator: **Equals to/Does not equal to** , **Contains/Does\n not contain** , **Starts with** , or **Greater than/Smaller than**.\n 3. Choose a value. For this example, choose three branches (where the third branch is the Branch 'Else' Default Branch.) \n In Branch 1: Blocked alerts or alerts without a threat signature; then do X (the next playbook step). \n In Branch 2: Allowed alerts with a threat signature. \n In Branch 3: The default \"Else\" branch.\n8. Branch 1: Logical Operator set to **Or** . \n Alert.CategoryOutcome = Blocked \n Alert.ThreatSignature \\[\\] Empty\n9. Branch 2: Logical Operator set to **And** \n Alert.CategoryOutcome = Allowed \n Alert. ThreatSignature !\\[\\] NotEmpty\n10. Define a \"fallback branch\" to avoid failed conditions. If a condition is based on previous actions, and one of those actions failed (and skipped), the condition continues to the fallback branch, instead of stopping.\n11. Click **Save** . The playbook now takes three branches: 1, 2 and E (Else). Set the outcome for at least one branch to mark the playbook as complete. To select a fallback branch, see [Define a fallback branch](#define-fallback-branch). \n\n\n**To add a multi-choice question flow:**\n\n1. Drag the **Multi-Choice Questions** condition to the **Final Step** box.\n2. Click **Multi-Choice Questions** to open the dialog.\n3. Add a question with as many answers as needed.\n4. Click **Save**. The playbook opens four branches. Set the outcome for at least one branch to mark it as complete.\n\n### Add a Previous Actions Conditions flow\n\n1. Drag the **Previous Actions Conditions** to the **Final Step** box.\n2. Click **Previous Actions Conditions** to open the dialog.\n3. Decide how many branches to create. Each branch has an OR between them. \n To add a parameter:\n 1. Select the required parameter. The list shows only the action script results from this playbook.\n 2. Select the required operator: **Equals to/Does not equal to** , **Contains/Does\n not contain** , **Starts with** , or **Greater than/Smaller than**.\n 3. Choose the value (the action result).\n 4. You can add more parameters to each branch and choose a logical operator: AND or OR. \n4. Click **Save**. The playbook opens three branches: 1, 2, and Else. Set the outcome for at least one branch to complete the playbook.\n\n### Define a fallback branch\n\n1. In one of the flows (Condition or Previous Actions Condition), select the branch to use as a fallback branch. This example uses **Branch\n --\n not risky** . \n You're not required to add a fallback branch.\n2. When the playbook runs, and the previous actions fail, the playbook chooses the fallback branch and continues.\n\n### Remove a flow\n\n\nWhen removing a flow from within a playbook, the system will ask you whether\nyou want to remove the entire branch or just one aspect of it.\n\n### Merge branches\n\n\nYou can merge different branches of the playbook into one branch. To do so,\ndrag an action from one of the branches and drop it to the **Final\nStep** of another branch. The playbook can continue after this or end here.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
