This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Flow condition in Chronicle SOAR not working

Posted on 01-15-2025 11:59 AM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi All,

I have a block for log collection, where I am using a flow to check whether the UDM action JSON is not empty. If it isn't, I add a CSV case wall attachment. However, I noticed that the UDM result is empty, yet it is still routing to branch one, even though the condition is set to proceed only if the JSON is not empty.

vanitharaj1208_0-1736970959895.pngvanitharaj1208_1-1736971016927.png

 

 

Solved Solved
0 6 372
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to malzahnOptiv
Reply posted on --/--/---- --:-- AM

JSON Result might still exist as empty list, which I believe is the situation here. So, if you want to create a stable condition, then my suggestion would be to do:

ylandovskyy_0-1747822868804.png

As "{" will only exist if JSON Result contains an actual JSON object inside of it.

 

View solution in original post

Jump to Solution
6 REPLIES 6

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

That condition should evaluate correctly if you change it to ` != "" `

JeremyLand_0-1736988777962.png

 

Jump to Solution

Posted on --/--/---- --:-- AM
vanitharaj1208
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

but why notempty does not work here?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
JeremyLand
Staff
Reply posted on --/--/---- --:-- AM

The empty and notempty conditions rely on a field existing to properly evaluate the contents.  In this case the 'Execute UDM Query' action only calls siemplify.result.add_result_json if events are returned in the result, so when there aren't events the json result field doesn't get created, which causes the condition to not evaluate properly.

Unfortunately this behavior isn't standardized between all actions.  Some will call the add_result_json function with no results, which will create the field and leave it blank; and your original condition would work.

To differentiate whether those empty results are actually created you can either look in the IDE at the action and try to understand logic around the siemplify.result.add_result_json command or use the Siemplify - Case Comment action with the json results placeholder in a playbook.  
With the Case Comment action the the comment will return an empty string if the results exist but are empty, or will put the placeholder string as the comment if the field doesn't exist.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
malzahnOptiv
Bronze 4
Bronze 4
In response to JeremyLand
Reply posted on --/--/---- --:-- AM

I'm seeing an example where neither not empty or != "" works correctly for a JSON result.  It's with the Chronicle UDM Query.  I'm wondering if something has changed with this since your reply in January.  Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to malzahnOptiv
Reply posted on --/--/---- --:-- AM

JSON Result might still exist as empty list, which I believe is the situation here. So, if you want to create a stable condition, then my suggestion would be to do:

ylandovskyy_0-1747822868804.png

As "{" will only exist if JSON Result contains an actual JSON object inside of it.

 

Jump to Solution

Posted on --/--/---- --:-- AM
malzahnOptiv
Bronze 4
Bronze 4
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

Awesome.  Thanks so much

Jump to Solution
0 Likes
Top Solution Authors
View all