Use the If operator to determine execution paths based on whether a specified set of conditions is met. The If operator enables workflows to evaluate incoming data—such as incoming messages, event payloads, or case attributes—and determine which workflow branch should run next.
You can set multiple conditions, using and/or logic for nuanced decision-making. Use And to require all conditions to be met or Or to allow any of the conditions to be met.
How to use
Add the operator: Drag the If operator onto the workflow canvas.
Define the condition: Click on the If operator to open the Properties panel.
Set the required condition for the operator logic by completing the value fields and selecting a comparison parameter.
Click Add Condition to set more than one condition.
Select And or Or to define if all or any conditions need to be met.
Verify inputs: After execution is complete, check the operator input to verify the compared data.
You can also check the Execution log to see if the condition was evaluated correctly.
The available comparison parameters are:
Is equal/is not equal: Case-insensitive, checks if values do or do not match specified criteria.
Is in/is not in: Checks if one value is within another to determine workflow path.
Contains/does not contain: Case-sensitive, checks for exact matches within event elements.
Greater than/less than: Numeric comparisons, useful for establishing thresholds.
Greater equal/less equal: Numeric comparison, including equality, allowing for conditions that encompass a range.
Regex match/Regex not match: Employs regular expressions for pattern matching in data.
Is empty/not empty: Verifies if an element is empty or contains data.
It is best practice to double-check the conditions to ensure they are correctly configured and are being evaluated correctly. You can test the operator with different inputs, or view the operator input to check the compared data.
Examples
Check if a value is in a list
Use the Is in comparison to verify whether the source IP address from an alert belongs to a known blocklist.
If true, create a case with a specified severity level and notify relevant parties.
If false, continue with enrichment steps.
Detect if text contains a specific keyword
Use the Contains comparison to check if incoming messages from a Slack channel contain the command restart-service.
If true, trigger an automation to restart the affected service.
If false, ignore the message.
Validate if a field is empty
When triaging an incident, use the Is empty comparison to ensure every alert has an assigned severity level.
If true, assign a default severity and log a warning.
If false, proceed with the existing severity value.