A Guide to Conditionals in Doctor Droid Playbooks

A Guide to Conditionals in Doctor Droid Playbooks

What are conditionals in playbooks & how to use them for creating different paths in your investigations?

Conditions are rules applied to outputs from metrics, database or log queries to determine the next step to execute in your playbooks.

Creating Conditions in Playbooks

Step 1: Create a playbook with a containing different types of tasks.

  • A Cloudwatch metric task results in a time series data set

  • A postgres database query that returns a table

  • A bash command that returns a terminal output.

Step 2: Apply a condition to the bash output. This provides options for grep checks against the terminal output. Add a string to check its availability in the terminal output.

Step 3: Create another condition on the Cloudwatch metric. This checks if the metric's rolling value over a 30-minute window is greater than six.

Step 4: Create a condition for the postgres database result. This checks if its row count is less than 20. Alternatively, choose a column value-based condition. Enter the column name and choose any of the column's values in any row to check if it's less than 20.

Executing the Playbook

Step 1: Execute the playbook to see how the conditions on these tasks determine the path to follow. If conditions fail to meet the final output, they're marked as red.

Step 2: If a condition, such as the Cloudwatch metric, is marked as true, this step is recommended.

Configuring Time-Based Conditions

Step 1: Configure a time-based condition on top of these task-based outputs.

Step 2: Set the time interval of the day at which the condition should be marked as true. This adds an additional parameter of the time of the day to help decide the final output of the condition.

Step 3: Choose the time to be every day between 01:00 a.m. and 03:00 a.m. This means that every day between 01:00 a.m. to 03:00 a.m., for every minute, the playbook execution will return as true.

Remember, if one condition is true but another is false, then the overall output will be false.