Overview
Use the If operator to determine execution paths based on whether a specified set of conditions is met. The If operator enables workflows to evaluate incoming data, such as incoming messages, event payloads, or case attributes, and determine which workflow branch should run next.
You can set multiple conditions, using and/or logic for nuanced decision-making. Use And to require all conditions to be met or Or to allow any of the conditions to be met.
How to use
Add the operator: Drag the If operator onto the workflow canvas.
Define the condition: Click on the If operator to open the Properties panel.
Set the required condition for the operator logic by completing the value fields and selecting a comparison parameter.
Click Add Condition to set more than one condition.
Select And or Or to define if all or any conditions need to be met.
Verify inputs: After execution is complete, check the operator input to verify the compared data.
You can also check the Execution log to see if the condition was evaluated correctly.
Available parameters
Each parameter defines how the evaluated value is compared to the specified condition. Select the parameter that matches the logic your condition requires.
Is equal/is not equal: Case-insensitive, checks if values do or do not match specified criteria.
Is in/is not in: Checks if one value is within another to determine workflow path.
Contains/does not contain: Case-sensitive, checks for exact matches within event elements.
The Is in and Contains operators treat values entered directly in the input field as strings. If you enter an array literal such as ["A", "B"], it is parsed as a string rather than an array, and element-level comparison will not work as expected. To compare against individual array elements, save the array in a JSON variable and reference it in the condition using $. notation.
Greater than/less than: Numeric comparisons, useful for establishing thresholds.
Greater equal/less equal: Numeric comparison, including equality, allowing for conditions that encompass a range.
Regex match/Regex not match: Employs regular expressions for pattern matching in data.
Is empty/not empty: Verifies if an element is empty or contains data.
It is best practice to double-check the conditions to ensure they are correctly configured and are being evaluated correctly. You can test the operator with different inputs, or view the operator input to check the compared data.
Examples
Check if a value is in a list
Use the Is in comparison to verify whether the source IP address from an alert belongs to a known blocklist.
If true, create a case with a specified severity level and notify relevant parties.
If false, continue with enrichment steps.
Detect if text contains a specific keyword
Use the Contains comparison to check if incoming messages from a Slack channel contain the command restart-service.
If true, trigger an automation to restart the affected service.
If false, ignore the message.
Validate if a field is empty
When triaging an incident, use the Is empty comparison to ensure every alert has an assigned severity level.
If true, assign a default severity and log a warning.
If false, proceed with the existing severity value.
FAQs
My If condition automatically evaluates to false, without providing a clear indication that this has happened. How do I fix this?
Double-check and validate the conditions, ensuring they are correctly configured and supported. If applicable, test with different inputs to identify any specific issues causing the conditions to be evaluated incorrectly.
My Is in or Contains condition is not matching array elements correctly. How do I fix this?
The UI input field parses direct array entries such as ["A", "B"] as strings, not as arrays. To compare against individual array elements, save the array in a JSON variable and reference it in the condition using $. notation. This is a known limitation of the input field parser.

