Skip to main content

Switch Operator: Streamline Conditional Logic with Branches

Learn how to use Torq's Switch operator to efficiently manage diverse workflow conditions in a neat, organized manner.

Updated this week

Use the Switch operator to create branches to handle different scenarios, keeping your workflow organized and adaptable to various security conditions.

Each branch within the Switch operator works with its own set of conditions and actions, allowing for precise responses to different situations. Branches are checked from left to right, and the steps in the first branch whose conditions are met are executed. If no branch conditions are met, the default branch runs instead.

How to use

  1. Add the operator: Drag and drop the Switch operator into your workflow.

  2. Configure branches: In the roperties panel, set up each branch of your Switch operator.

    • Add branches: Click + Add branches to add more branches. Each Switch can have up to 26 branches.

    • Rename each branch: Give each branch a clear and logical name by clicking on the branch name.

    • Define conditions: Set up the conditions for each branch. Click + Add condition to add conditions, choosing either And or Or condition logic.

    • Prioritize Branches: Use the arrows to rearrange branches to position higher-priority ones to the left. The first branch to have conditions met is the branch that is executed.

    • Default branch: The last branch is the default branch, which runs if no other branch's conditions are met.

  3. Track execution: Check the Execution Log to see which branch was executed.

Branches are checked from left to right. The first branch that has its conditions met is executed. If no branch conditions are met, the default branch runs instead.

If there are no steps in the default branch, no action will be performed.

Example: Determine IOC type

Use the Switch operator to check the data type for each IOC.

Set up the following Switch branches:

  • URL: if the data type is URL

  • Domain: if the data type is FQDN

  • IP: if the data type is an IP address

  • File hash: if the data type is a file hash

  • Default: if none of the branch's conditions are met

In each branch, run the following logic, tweaked to the IOC type:

  1. Use the relevant VirusTotal step to pull the IOC data.

  2. Send a notification of the enrichment results using the Slack Send message step, pulling all IOC results from the variable into a structured summary.

Did this answer your question?