This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Unresolved Expression in Google SecOps Playbook Output After Action Failure

Posted 3 weeks ago
shubhamagar
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I'm working with Google SecOps (Chronicle SOAR) playbooks, and I've noticed that when an action fails, the output sometimes still shows the expression in its raw form, like:

[Action_Name_Get Question Results_1.JsonResult]

Instead of resolving to None or an empty string, it just stays as-is. This causes issues when referencing the output in later steps or logs.

My questions are:

  1. Is this the expected behavior when an action fails?
  2. What’s the best practice to handle such cases ?
  3. Are there any built-in functions or patterns in SecOps playbooks to gracefully handle failed action outputs?
0 1 146
Topic Labels
0 Likes
Reply
1 REPLY 1

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @shubhamagar ,

My suggestion would be to make a condition like "[Action_Name_Get Question Results_1.JsonResult]" Contains "{" before running an action that will depend on the output of the previous one. 

The provided condition will only make a match, when there is a valid JSON object in the response of the action.

Let me know, if it will work for you!

0 Likes
Reply
Top Solution Authors
View all