Conditional tasks are used for determining
different paths for your playbook. You can use conditional tasks
for something simple like proceeding if a certain integration exists,
or whether a user account has an email address.
you can use conditional tasks for more complex situations. For example,
if an indicator was enriched and the reputation was set to bad,
escalate the incident for managerial approval. However, if the indicator
reputation is unknown or good, proceed down a different route.
the playbook was installed from a Content Pack, duplicate or detach the
playbook, before creating a conditional task.
In a playbook, click
+ Create Task
field, type a
meaningful name for the task that corresponds to the data you are
Select the required option based on the conditional task.
Creates a logical statement using an entity
from within the playbook. For example, in an access investigation
playbook, you can determine that if the Asset ID of the person whose
account was being accessed exists in a VIP list, set the incident
severity to High. Otherwise, proceed as normal.
Creates a conditional task which must be manually
resolved. For example, in an access incident investigation, you
might ask the user if they attempted to access their account. A
manual task checks if the user responded.
Creates a conditional task based on the result
of a script. For example, check if an IP address is internal or
external using the IsIPInRanges automation. When using an automation,
the Inputs and Outputs are defined by the automation script.
Complete the task configuration in the remaining tabs.
Some configurations are required, and some are optional.