Response orchestration provides basic system components that you can use to define input and output parameters for playbooks and build basic playbook workflows.
Start/End
Each flow must have a start node and an end node. A flow can have only one start node but multiple end nodes.
The default name of the start node is event. Do not name any other component event during playbook orchestration.
Output gateways
Gateways are used to control the execution branches of a workflow. The execution flow is shown in the following figure:
Gateway name | Execution logic | Usage notes |
Default output gateway | Outputs multiple downstream branches from one node and executes all branches. | No component selection is required. Complete the configuration using node connection lines. Note Conditional configuration is not supported. |
Single output (exclusive gateway) | When a flow has multiple branches, only the first branch that meets the condition is executed. | Select the single output component and complete the related conditional configuration. Note A default ELSE condition is provided for conditions other than the custom conditions. |
Multiple output | When a flow has multiple branches, all branches that meet the conditions are executed. | Select the multiple output component and complete the related conditional configuration. |
Default output gateway
Configuration instructions
You can click a node and use a connection line to directly connect it to downstream branch nodes. Conditional configuration is not supported.
Single output (exclusive gateway)
Configuration instructions
In the basic nodes area, drag the Single Output component to the flow editor canvas.
Click the Single Output component. On the basic information tab on the right, click the Configure button to open the condition configuration page. After the configuration is complete, click OK to save the branch selection conditions.
Depending on your business scenario, you can click ADD IF or AND ELSE IF to add a group of conditions. Each group of conditions corresponds to one flow branch. For more information about how to configure conditions, see Component condition configuration. You can modify the condition names to make them easier to understand and distinguish.
Configure the gateway connection lines.
Hover the mouse pointer over the single output gateway icon and click a connection point to connect the line to a branch node.
Click the connection line and select the condition configured in Step 2 from the drop-down list in the configuration pane on the right.
ImportantA default ELSE condition is provided to handle cases that do not match any custom conditions.
You must select a different condition for each connection line.
Multiple output
Configuration instructions
In the basic nodes area, drag the Multiple Output component to the flow editor canvas.
Click the Multiple Output component. On the basic information tab on the right, click the Configure button to open the condition configuration page. After the configuration is complete, click OK to save the branch selection conditions.
Depending on your business scenario, you can click ADD IF to add a group of conditions. Each group of conditions can correspond to multiple flow branches. For more information about how to configure conditions, see Component condition configuration. You can modify the condition names to make them easier to understand and distinguish.
Configure the gateway connection lines.
Hover the mouse pointer over the multiple output gateway icon and click a connection point to connect the line to a branch node.
Click the connection line and select the condition configured in Step 2 from the drop-down list in the configuration pane on the right.
NoteYou can select the same condition for different connection lines.
Input gateways
Two types of input gateways are supported. When branches execute normally, both gateways function identically. The difference lies in how they handle abnormal branch executions.
Gateway name | Execution logic | Usage notes |
Default input gateway | Continues execution after all upstream branches finish executing. Even if a branch reports an error, subsequent execution continues. | No component selection is required. Complete the settings using node connection lines. |
Converging gateway | Waits for all upstream nodes to complete execution, and then determines whether all "required" upstream branches have been executed. If yes, subsequent nodes are triggered. Otherwise, the node execution fails. |
|
Default input gateway
Configuration instructions
You can click a node and use a connection line to directly connect it to downstream branch nodes.
Converging gateway
Configuration instructions
In the basic nodes area, drag the Converging component to the flow editor canvas.
Configure the gateway connection lines.
You can click a node and use a connection line to connect it to the Parallel Gateway component.
Click the connection line and select Required or Non-required from the drop-down list in the configuration pane on the right.
NoteIf you select "Required", the node on this path must be executed. Otherwise, downstream nodes are not triggered.
Child flows
Similar to a normal flow, a child flow also requires start and end nodes. A child flow can be used to group a complex flow to make the overall flow clearer and easier to understand. You can also execute loops on a child flow.
Child flows and parent flows are in the same variable space. Data from the parent flow, including inputs, the return values of upstream nodes, and variables, can be used in the child flow. Variable modifications in the child flow are also reflected in the parent flow.
In downstream nodes outside the child flow, you can retrieve the return result of the last execution of the nodes within the child flow.
Child flow loop configuration
Click the Enable Loop button.
Loop Mode: For Do-while, the loop body is executed before the condition is checked. For While-do, the condition is checked before the loop body is executed.
Maximum Loops: Set the maximum number of loops to prevent infinite loops.
Set the Loop Exit Condition: The parameters of all inner nodes executed in each loop of the child flow can be used as conditions. For more information about how to configure parameters, see Component condition configuration.
Loop end judgment logic
Each loop ends when all executed nodes in the child flow for that call have completed execution. For example, if a "Notification 2" node has finished executing and reached the end node, but a "Delay" node is still executing, the current loop waits until all executable nodes have finished before the next loop iteration starts.
For example, in the following scenario, the "Notification 2" node has completed execution and reached the end node, but the "Delay" node is still executing. The current iteration waits until all executable nodes have finished before starting the next round of recursive invocation.
Default loop parameters
A child flow provides default parameters that can be used to retrieve the current loop count for use by components within the child flow.
Loop count: Starts from 1. The format is ${child_flow_name.curLoop}.
Loop index: Starts from 0. The format is ${child_flow_name.curIndex}.
Example:
In a child flow, you can use the loop index in the NotifyMessage component to write the email body and retrieve array parameter values from the start node.
Component condition configuration
In scenarios such as single output gateways, multiple output gateways, child flow loop exits, and filter components, you must configure conditions to enable the corresponding features. Response orchestration provides a common page for these configurations. The rules are as follows:
Number | Description |
1 - Logical operator | AND: All conditions must be met. OR: At least one of the conditions must be met. Important Logical operators can determine only the logical relationship between different rules within the same group. |
2 - Negation switch | Negates the condition judgment for the current group. |
3 - Add rule to group | Adds a rule to the group. The logical relationship between multiple rules in a group is determined by the 1 - Logical operator in the upper-left corner. |
4 - Add condition group | Click to add a group of filter conditions. Important The relationship between different groups is fixed to AND and is not affected by the 1 - Logical operator. |
5 - Condition field | Supports expressions and constants. This is usually an output field from a preceding node. |
6 - Condition judgment rule | Supports operations such as IN and = for strings, numbers, and observation lists (Dataset). For more information, see the filter component. |
7 - Condition value | Supports expressions and constants. |
Condition configuration example
In the preceding figure, the condition is met if the value of name is "john" or "alice" and the value of age is between 12 and 20, inclusive.
Condition judgment rule description
Rule name | Rule description | Remarks |
NOT IN IP Dataset | The value is not in the IP observation list. | Before you can select an observation list, you must first configure it in Security Center > Agentic SOC > Integration Center > Observation Lists. |
IN IP Dataset | The value is in the IP observation list. | |
NOT IN Dataset | The value is not in the observation list. | |
IN Dataset | The value is in the observation list. | |
String | Equal to | Equal to. | None |
String | Not equal to | Not equal to. | None |
String | Contains | Contains. | For example, "abc" contains "bc". |
String | Does not contain | Does not contain. | For example, "abc" does not contain "d". |
String | Starts with | Starts with. | For example, "abc" starts with "ab". |
String | Ends with | Ends with. | For example, "abc" ends with "bc". |
String | Does not end with | Does not end with. | For example, "abc" does not end with "ab". |
String | Regex match | Matches a regular expression. | For example, "abcabc" matches the expression (abc)+. |
String | Not regex match | Does not match a regular expression. | For example, "abab" does not match the expression (abc)+. |
String | Is empty | Is an empty string. | Empty strings, null values, and NULL values are considered empty. |
String | Is not empty | Is not an empty string. | None |
Number | Equal to | Equal to. | None |
Number | Not equal to | Not equal to. | None |
Number | Greater than | Greater than. | None |
Number | Greater than or equal to | Greater than or equal to. | None |
Number | Less than | Less than. | None |
Number | Less than or equal to | Less than or equal to. | None |
Number | Range | Checks if the number is within the specified range. The format is "value,value". | For example, 1 is in the range -1,5. |