- 16 Nov 2023
- 3 Minutes to read
- DarkLight
Conditions
- Updated on 16 Nov 2023
- 3 Minutes to read
- DarkLight
Conditions are used to compare two or more values. Conditions can be used to trigger events and configure If tasks or Loops. For example, triggering an action when data matches specific conditions is a common use case with workflows.
You can apply optional conditions to limit which events will trigger a workflow. For example, if your workflow starts when an IMAP trigger event is received, you can add a condition that the attachments
key must contain an image/png
in order for the workflow to begin. Conditions support AND / OR
operators.
For example, you can check if a specific command was found in a sent Slack message. You can see the If condition checks if the message contains the exact text "disable_function". It also has the OR
operator, which tells us that if the first condition is not met, a second condition can also satisfy the workflow.
The second condition has the AND
operator, meaning that both conditions must be met in order to fulfill the requirements. The example message must include the exact string "enable_function", as well as having a value in the extract_text_from_message.results
element.
Equals
The workflow or step is executed when the value of the specific event element equals the specified value. This condition is case insensitive. In the following example, only emails that contain a PNG file attachment will trigger the workflow.
Not Equals
The workflow or step is executed when the value of the trigger event element does not equal the specified value. This condition is case insensitive. In the following example, Wiz issues whose severity is not LOW or MEDIUM will trigger the workflow.
Is In
The workflow proceeds on the TRUE path when the first specified value is found in the second specified value. Otherwise, the workflow will proceed on the FALSE path. In this example, the condition is checking if “atm” is found in “batman”. This condition would evaluate as TRUE.
Is Not In
The workflow proceeds on the TRUE path when the first specified value is NOT found in the second specified value. Otherwise, the workflow will proceed on the FALSE path. In this example, the condition is checking if “bat” is found in “superman”. This condition would evaluate as TRUE.
Contains
The workflow or step is executed when the value of the specified string is contained inside the event elements. This condition is case-sensitive and must be an exact match.
In the following example, the workflow is triggered when a Slack message contains either an enable or disable global address list (gal) command.
Not Contains
The workflow or step is executed when the specified string is not contained inside the trigger event elements. This condition is case-sensitive and must be an exact match.
In the following example, a workflow is triggered when an event occurs - however, we specify that it does not trigger if the event occurs on a certain computer in the organization.
Greater Than
The workflow or step is executed when the event element contains a numeric value that is greater than the specified value.
In the following example, when sending potentially malicious data to VirusTotal, we will classify the entity as malicious if a certain number of engines find the item to be malicious.
Greater Equal
The workflow or step is executed when the event element contains a numeric value that is greater than or equal to the specified value.
In the following example, the If operator checks if there is at least one email address found in the JSON.
Less Than
The workflow or step is executed when the event element contains a numeric value that is lower than the given value.
In the following example, when sending a potentially harmful file for a scan, you might consider a file benign only if no suspicious attributes were detected.
Less Equal
The workflow or step is executed when the event element contains a numeric value that is lower than or equal to the specified value.
In the following example, when sending a potentially harmful file for a scan, you might consider a file benign only if no more than 2 suspicious attributes were detected.
Is Empty
The workflow or step is executed when the specified event has a null value, or an empty array, object, or string.
In the following example, the If operator is part of a workflow to analyze a submitted JSON of IP addresses or URLs. Before proceeding with the workflow, we want to check if there is any content to analyze.
Is Not Empty
The workflow or step is executed when the specified event does not have a null value, or if the array, object, or string contains any value.
In the following example, the If operator continues only if the endpoint alert contains results.
Regex Match
The workflow or step is executed when the specified event element matches a Regular Expression RE2.