Response orchestration provides built-in components for defining input and output parameters in playbooks and building playbook workflows.
Choose a component based on what you need:
| If you need to... | Use this component |
|---|---|
| Start or end a flow | Start/End |
| Run all downstream branches unconditionally | Default output gateway |
| Run only the first branch that matches a condition | Single output (exclusive gateway) |
| Run every branch that matches a condition | Multiple output |
| Merge branches after all upstream branches finish, even if a branch errors | Default input gateway |
| Merge branches, requiring specific upstream branches to have been executed | Converging gateway |
| Group steps into a reusable or looping block | Child flow |
Start/End
Each flow must have a start node and an end node. A flow can have only one start node but multiple end nodes.
The default name of the start node is event. Do not name any other component event during playbook orchestration.
Output gateways
Output gateways control which downstream branches execute after a node.
| Gateway | Execution logic | Usage notes |
|---|---|---|
| Default output gateway | Runs all downstream branches | No component needed — connect branches with lines. Conditional configuration is not supported. |
| Single output (exclusive gateway) | Runs only the first branch that matches a condition | Configure conditions on the component. A default ELSE condition handles unmatched cases. Each connection line must map to a different condition. |
| Multiple output | Runs all branches that match a condition | Configure conditions on the component. The same condition can map to multiple connection lines. |
Default output gateway
Connect a node directly to its downstream branch nodes using connection lines. Conditional configuration is not supported.
Single output (exclusive gateway)
Runs only the first branch whose condition is met. Use this when branches are mutually exclusive — for example, routing by alert severity level.
Drag the Single Output component from the basic nodes area onto the canvas.
Click the Single Output component. On the basic information tab, click Configure to open the condition configuration page.
Click ADD IF or AND ELSE IF to add condition groups. Each condition group maps to one branch.
Rename condition groups to make them easier to distinguish.
Click OK to save.
Connect each branch:
Hover over the single output gateway icon and click a connection point to draw a line to a branch node.
Click the connection line and select the condition configured in step 2 from the drop-down list.
A default ELSE condition handles cases that don't match any custom condition.
Each connection line must reference a different condition.
Multiple output
Runs all branches whose conditions are met. Unlike the single output gateway, this does not stop at the first match.
Drag the Multiple Output component from the basic nodes area onto the canvas.
Click the Multiple Output component. On the basic information tab, click Configure to open the condition configuration page.
Click ADD IF to add condition groups. Each condition group can map to multiple branches.
Rename condition groups to make them easier to distinguish.
Click OK to save.
Connect each branch:
Hover over the multiple output gateway icon and click a connection point to draw a line to a branch node.
Click the connection line and select the condition configured in step 2 from the drop-down list.
The same condition can be assigned to different connection lines.
Input gateways
Input gateways merge multiple upstream branches back into a single path. When branches execute normally, both gateways function identically. The difference lies in how they handle abnormal branch executions.
| Gateway | Execution logic | Usage notes |
|---|---|---|
| Default input gateway | Continues after all upstream branches finish. Proceeds even if a branch errors. | No component needed — connect branches with lines. |
| Converging gateway | Waits for all upstream nodes to complete, then checks whether all required upstream branches were executed. If yes, downstream nodes are triggered. Otherwise, the node execution fails. | Configure Required and Non-required conditions on each connection line. |
Default input gateway
Connect nodes directly to downstream branch nodes using connection lines.
Converging gateway
Use this when downstream execution must only proceed if specific upstream branches have been executed.
Drag the Converging component from the basic nodes area onto the canvas.
Connect each upstream node to the Parallel Gateway component using a connection line.
Click each connection line and select Required or Non-required from the drop-down list.
If a connection line is set to Required, the node on that path must complete execution. If it does not, downstream nodes are not triggered.
Child flows
A child flow groups a set of nodes into a self-contained block within a parent flow. Use child flows to:
Break a complex flow into readable, manageable sections
Execute a sequence of steps in a loop
A child flow requires its own start and end nodes, just like a parent flow.
Variable scope: Child flows and parent flows share the same variable space. The child flow can read inputs, upstream node return values, and variables from the parent flow. Any variable changes made inside the child flow are visible in the parent flow. Nodes outside the child flow can access the return result of the last execution of the nodes within the child flow.
Configure a loop on a child flow
Click Enable Loop.
Set Loop Mode:
Do-while: The loop body runs first, then the exit condition is checked.
While-do: The exit condition is checked first, then the loop body runs.
Set Maximum Loops to prevent infinite loops.
Set the Loop Exit Condition. Any output parameter from nodes inside the child flow can be used as a condition value. For configuration details, see Component condition configuration.
Loop end logic: A loop iteration ends only after all nodes triggered in that iteration have finished — including nodes still running when other nodes have already reached the end node. The next iteration does not start until the current iteration is fully complete.
Built-in loop variables:
| Variable | Starts from | Expression |
|---|---|---|
| Loop count | 1 | ${child_flow_name.curLoop} |
| Loop index | 0 | ${child_flow_name.curIndex} |
For example, use ${child_flow_name.curIndex} in the NotifyMessage component to index into an array passed from the parent flow's start node.
Component condition configuration
The condition configuration interface is shared across single output gateways, multiple output gateways, child flow loop exits, and filter components.
| # | Element | Description |
|---|---|---|
| 1 — Logical operator | AND / OR | Determines the relationship between rules within the same group only. AND: all rules must match. OR: at least one rule must match. |
| 2 — Negation switch | Negates the condition judgment for the current group. | |
| 3 — Add rule to group | Adds a rule to the group. The AND/OR operator in element 1 applies between all rules in the group. | |
| 4 — Add condition group | Adds a new condition group. The relationship between groups is always AND, regardless of the logical operator setting. | |
| 5 — Condition field | Supports expressions and constants. Typically an output field from a preceding node. | |
| 6 — Condition judgment rule | Supports string, number, and observation list (Dataset) operations such as IN and =. See the filter component for the full list. | |
| 7 — Condition value | Supports expressions and constants. |
Condition configuration example
The condition above is met when name equals "john" or "alice" and age is between 12 and 20 (inclusive).
Condition judgment rules
Dataset rules
Before using Dataset rules, configure observation lists in Security Center > Agentic SOC > Integration Center > Observation Lists.
| Rule | Description |
|---|---|
| IN IP Dataset | The value is in the IP observation list. |
| NOT IN IP Dataset | The value is not in the IP observation list. |
| IN Dataset | The value is in the observation list. |
| NOT IN Dataset | The value is not in the observation list. |
String rules
| Rule | Description | Example |
|---|---|---|
| Equal to | Exact match. | |
| Not equal to | Does not match. | |
| Contains | The string contains the specified value. | "abc" contains "bc". |
| Does not contain | The string does not contain the specified value. | "abc" does not contain "d". |
| Starts with | The string starts with the specified value. | "abc" starts with "ab". |
| Ends with | The string ends with the specified value. | "abc" ends with "bc". |
| Does not end with | The string does not end with the specified value. | "abc" does not end with "ab". |
| Regex match | The string matches the regular expression. | "abcabc" matches (abc)+. |
| Not regex match | The string does not match the regular expression. | "abab" does not match (abc)+. |
| Is empty | The string is empty. Empty strings, null values, and NULL values are all considered empty. | |
| Is not empty | The string is not empty. |
Number rules
| Rule | Description | Example |
|---|---|---|
| Equal to | Exact match. | |
| Not equal to | Does not match. | |
| Greater than | The number is greater than the specified value. | |
| Greater than or equal to | The number is greater than or equal to the specified value. | |
| Less than | The number is less than the specified value. | |
| Less than or equal to | The number is less than or equal to the specified value. | |
| Range | The number falls within the specified range. Format: value,value. | 1 is in the range -1,5. |