Skip to main content
Question

How can I identify Google SecOps SOAR cases with failed playbook runs?

  • October 23, 2025
  • 5 replies
  • 68 views
SaitejaKatta
Forum|alt.badge.img+2

I'm looking for a way to identify Google SecOps SOAR cases where one or more playbook executions have failed. My goal is to programmatically retrieve a list of these cases, ideally using methods available within the Siemplify SDK (Python), so I can process them further in custom jobs or actions 

Is there a specific Siemplify SDK method, API endpoint, or recommended approach to filter cases based on the success/failure status of their associated playbook runs? I'm trying to avoid manually checking the playbook monitor for each case.

Thanks!

5 replies

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 23, 2025

Hi ​@SaitejaKatta,

 

Does the below endpoint work for you?

 

/api/external/v1/cases/GetWorkflowInstanceSummary

 

Kind Regards,

Ayman

SaitejaKatta
SaitejaKatta
Forum|alt.badge.img+2
  • SaitejaKattaBronze 3
  • Author
  • Bronze 3
  • October 23, 2025

@AymanC , when I invoked the API endpoint “/api/external/v1/cases/GetWorkflowInstanceSummary”, I got below response

{
 "errorCode": 2000,
 "errorMessage": "An error has occurred. When reporting the issue to SecOps support, provide the identifier: df856ec04e [removed by moderator] 1664354af and describe the action that has failed.",
 "innerException": null,
 "innerExceptionType": null,
 "correlationId": "df856ec04e [removed by moderator] 1664354af"
}
AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 23, 2025

Hi ​@SaitejaKatta,

 

Likely not passing the correct values, the schema is:
 

Siemplify.Server.Api.DataModel.Playbooks.ApiWorkflowRequestDataModel{

caseId

integer($int64)

alertIdentifier

string
nullable: true

shouldFetchSteps

boolean

definitionIdentifier

string($uuid)

collapseBlocks

boolean

nestedStepIdentifier

string($uuid)
nullable: true

parentWorkflowInstanceId

integer($int64)

loopsRequestedIterations

[
nullable: true

Siemplify.Common.Orchestration.DataModel.Requests.ApiLoopIterationRequest{

startLoopStepIdentifier

string($uuid)

loopIteration

integer($int32)

}]

parentWorkflowLoopIteration

integer($int32)
nullable: true

}

For Example:

 

{

  "caseId": 0,

  "alertIdentifier": "string",

  "shouldFetchSteps": true,

  "definitionIdentifier": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "collapseBlocks": true,

  "nestedStepIdentifier": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

  "parentWorkflowInstanceId": 0,

  "loopsRequestedIterations": [

    {

      "startLoopStepIdentifier": "3fa85f64-5717-4562-b3fc-2c963f66afa6",

      "loopIteration": 0

    }

  ],

  "parentWorkflowLoopIteration": 0

}

Kind Regards,

Ayman

SaitejaKatta
Forum|alt.badge.img+2
  • SaitejaKattaBronze 3
  • Author
  • Bronze 3
  • October 23, 2025

Hi ​@AymanC ,
I invoked the API from swagger,  the request body is in the same schema. 

Thanks!

AymanC
Forum|alt.badge.img+13
  • AymanCBronze 5
  • Bronze 5
  • October 23, 2025

Hi ​@SaitejaKatta,

 

I’d suggest using log explorer with the identifier for further information regarding why it has failed, alternatively raising a support ticket with Google may allow them to identify the issue you’re failing, unfortunately it's difficult to troubleshoot the issue you’re facing without further information.

 

Kind Regards,

Ayman

SaitejaKatta
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.