Skip to main content
Solved

Multi Question GeneralQuestion action

  • November 4, 2024
  • 5 replies
  • 141 views
donkos
Forum|alt.badge.img+8

Hello all,

I have a use case where we would want to ask analysts to fill in details about an incident manually before they pass it along elsewhere.I want to be able to reference the responses indivudually as dynamic placeholders in subsequent actions. I can see I could use the GeneralQuestion action which I could use multiple times (in parallel or in series) but that would require the analyst to do a lot more clicking, manual refreshing (manual prompt to answer question 1, answer, refresh, manual prompt for question 2 and so on). 

Is there any way to combine several general question actions in to one question with subqeustions that could then be referenced?

Best answer by KM7

Hello.  One option would be to create a custom action that acts as a form.   There are lots of different input parameter types available in the IDE (Boolean, Multi-Select, List, etc).   

"Subquestions" would probably still need to be handled with conditionals and separate playbooks steps. 


Here's a basic code example (make sure to also add the corresponding parameters themselves): 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED,EXECUTION_STATE_TIMEDOUT
import json


@output_handler
def main():
siemplify = SiemplifyAction()

question1 = siemplify.extract_action_param("q1", print_value=True)
question2 = siemplify.extract_action_param("q2", print_value=True)
multi = siemplify.extract_action_param("multi", print_value=True)


json_results = {
    'question1': question1,
    'question2': question2,
    'multi': multi
}

status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status
output_message = "output message :" # human readable message, showed in UI as the action result

result_value = json.dumps(json_results) # Set a simple result value, used for playbook if\\else and placeholders.
siemplify.result.add_result_json(result_value)

siemplify.LOGGER.info("\\n status: {}\\n result_value: {}\\n output_message: {}".format(status,result_value, output_message))
siemplify.end(output_message, result_value, status)


if __name__ == "__main__":
main()

 

Parameter definition in the IDE: 

Playbook user entry: 

 

Placeholder reference in subsequent playbook actions: 

[Siemplify_kmquestions_1.JsonResult| "question1"]

5 replies

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • November 5, 2024

Unfortunately, there isn't a built-in way in Google Chronicle SecOps SOAR to combine multiple GeneralQuestion actions into a single form with sub-questions.

However, here are a few alternative approaches you can consider to achieve a more streamlined workflow:

1. Custom Form with a Script:

  • Create a custom web form: Develop a simple web form (using HTML, JavaScript, etc.) that includes all the necessary input fields for your sub-questions.
  • Host the form: Host this form on a web server accessible to your analysts.
  • Use the WebRequest action: In your playbook, utilize the WebRequest action to send the form's URL to the analyst.
  • Parse the response: Once the analyst submits the form, use a script within your playbook to parse the response and extract the values for each sub-question. You can then store these values in playbook variables for later use.

This approach provides a more user-friendly experience with a single form and allows you to collect all necessary information at once.

2. Structured Input with a Single GeneralQuestion:

  • Design a structured input format: Instruct analysts to provide their answers in a specific format within a single GeneralQuestion action. For example: 
    Please provide the following details:
- Incident Summary: <summary>
- Affected Systems: <systems>
- Impact Assessment: <impact>
  • Parse the response with a script: Use a script in your playbook to parse the analyst's response, extracting the values for each sub-question based on the predefined format.

This approach reduces the number of clicks but requires clear instructions and relies on the analyst adhering to the input format.

3. Leverage Case Updates:

  • Utilize case update fields: Instead of using GeneralQuestion actions, leverage the existing case update fields within SOAR. Create custom fields for the information you need.
  • Guide analysts with instructions: Provide clear instructions within the case itself or through playbook comments, prompting analysts to fill in the specific case update fields.
  • Access data via case properties: Access the data entered in the case update fields directly within your playbook using case properties.

This approach integrates the questions into the case management workflow, potentially reducing context switching for analysts.

4. Feature Request:

Consider submitting a feature request to Google Chronicle for a dedicated "multi-question" action or the ability to group GeneralQuestion actions. This can help prioritize the development of such functionality in future releases.

    AymanC
    Forum|alt.badge.img+13
    • AymanCBronze 5
    • Bronze 5
    • November 6, 2024

    Hi @donkos,

    Out of the box there isn’t a way to achieve this via asking a direct question that contains sub questions. However, how about using case comments. 

    INSTRUCTION ACTION - mentioning to use the case comments to place their investigation, each comment relates to a separate step ( for example if your referring to a framework such as NIST, first comment should be identify, second Protect, third Detect, etc) -> SAME INSTRUCTION ACTION, user clicks ‘done’ once they’ve finished with their instructions -> GET CASE DATA ACTION, to then use the get case data to identify the response per comment) -> RENDER TEMPLATE FROM ARRAY, could be used to render the jsonresult from get case data to present the data using JINJA if you want conditional logic, and could be used in a further html widget for example

    Hope this workaround helps and is suffice 🙂

    Kind Regards,

    Ayman

    SoarAndy
    Staff
    Forum|alt.badge.img+12
    • SoarAndy
    • Staff
    • November 8, 2024

    As above, it's not something we do today, but this use-case is acknowledged by PM for future consideration.

    donkos
    Forum|alt.badge.img+8
    • donkos
    • Author
    • New Member
    • November 8, 2024

    Unfortunately, there isn't a built-in way in Google Chronicle SecOps SOAR to combine multiple GeneralQuestion actions into a single form with sub-questions.

    However, here are a few alternative approaches you can consider to achieve a more streamlined workflow:

    1. Custom Form with a Script:

    • Create a custom web form: Develop a simple web form (using HTML, JavaScript, etc.) that includes all the necessary input fields for your sub-questions.
    • Host the form: Host this form on a web server accessible to your analysts.
    • Use the WebRequest action: In your playbook, utilize the WebRequest action to send the form's URL to the analyst.
    • Parse the response: Once the analyst submits the form, use a script within your playbook to parse the response and extract the values for each sub-question. You can then store these values in playbook variables for later use.

    This approach provides a more user-friendly experience with a single form and allows you to collect all necessary information at once.

    2. Structured Input with a Single GeneralQuestion:

    • Design a structured input format: Instruct analysts to provide their answers in a specific format within a single GeneralQuestion action. For example: 
      Please provide the following details:
- Incident Summary: <summary>
- Affected Systems: <systems>
- Impact Assessment: <impact>
    • Parse the response with a script: Use a script in your playbook to parse the analyst's response, extracting the values for each sub-question based on the predefined format.

    This approach reduces the number of clicks but requires clear instructions and relies on the analyst adhering to the input format.

    3. Leverage Case Updates:

    • Utilize case update fields: Instead of using GeneralQuestion actions, leverage the existing case update fields within SOAR. Create custom fields for the information you need.
    • Guide analysts with instructions: Provide clear instructions within the case itself or through playbook comments, prompting analysts to fill in the specific case update fields.
    • Access data via case properties: Access the data entered in the case update fields directly within your playbook using case properties.

    This approach integrates the questions into the case management workflow, potentially reducing context switching for analysts.

    4. Feature Request:

    Consider submitting a feature request to Google Chronicle for a dedicated "multi-question" action or the ability to group GeneralQuestion actions. This can help prioritize the development of such functionality in future releases.


    Thanks @dnehoda - could you provide an example of what you mean by custom update fields?

    KM7
    Staff
    Forum|alt.badge.img+1
    • KM7
    • Staff
    • Answer
    • November 8, 2024

    Hello.  One option would be to create a custom action that acts as a form.   There are lots of different input parameter types available in the IDE (Boolean, Multi-Select, List, etc).   

    "Subquestions" would probably still need to be handled with conditionals and separate playbooks steps. 


    Here's a basic code example (make sure to also add the corresponding parameters themselves): 

    from SiemplifyAction import SiemplifyAction
    from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
    from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED,EXECUTION_STATE_TIMEDOUT
    import json


    @output_handler
    def main():
    siemplify = SiemplifyAction()

    question1 = siemplify.extract_action_param("q1", print_value=True)
    question2 = siemplify.extract_action_param("q2", print_value=True)
    multi = siemplify.extract_action_param("multi", print_value=True)


    json_results = {
        'question1': question1,
        'question2': question2,
        'multi': multi
    }

    status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status
    output_message = "output message :" # human readable message, showed in UI as the action result

    result_value = json.dumps(json_results) # Set a simple result value, used for playbook if\\else and placeholders.
    siemplify.result.add_result_json(result_value)

    siemplify.LOGGER.info("\\n status: {}\\n result_value: {}\\n output_message: {}".format(status,result_value, output_message))
    siemplify.end(output_message, result_value, status)


    if __name__ == "__main__":
    main()

     

    Parameter definition in the IDE: 

    Playbook user entry: 

     

    Placeholder reference in subsequent playbook actions: 

    [Siemplify_kmquestions_1.JsonResult| "question1"]

    Terms & ConditionsCookie settingsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.