Unfortunately, there isn't a built-in way in Google Chronicle SecOps SOAR to combine multiple GeneralQuestion actions into a single form with sub-questions.

However, here are a few alternative approaches you can consider to achieve a more streamlined workflow:

1. Custom Form with a Script:

• Create a custom web form: Develop a simple web form (using HTML, JavaScript, etc.) that includes all the necessary input fields for your sub-questions.


• Host the form: Host this form on a web server accessible to your analysts.


• Use the WebRequest action: In your playbook, utilize the WebRequest action to send the form's URL to the analyst.


• Parse the response: Once the analyst submits the form, use a script within your playbook to parse the response and extract the values for each sub-question. You can then store these values in playbook variables for later use.

This approach provides a more user-friendly experience with a single form and allows you to collect all necessary information at once.

2. Structured Input with a Single GeneralQuestion:

• Design a structured input format: Instruct analysts to provide their answers in a specific format within a single GeneralQuestion action. For example:
  
  
  

  
  

  
  

  Please provide the following details:
  
  - Incident Summary: <summary>
  
  - Affected Systems: <systems>
  
  - Impact Assessment: <impact>
  
  

  
  

  
  

  
  
  
  


• Parse the response with a script: Use a script in your playbook to parse the analyst's response, extracting the values for each sub-question based on the predefined format.

This approach reduces the number of clicks but requires clear instructions and relies on the analyst adhering to the input format.

3. Leverage Case Updates:

• Utilize case update fields: Instead of using GeneralQuestion actions, leverage the existing case update fields within SOAR. Create custom fields for the information you need.


• Guide analysts with instructions: Provide clear instructions within the case itself or through playbook comments, prompting analysts to fill in the specific case update fields.


• Access data via case properties: Access the data entered in the case update fields directly within your playbook using case properties.

This approach integrates the questions into the case management workflow, potentially reducing context switching for analysts.

4. Feature Request:

Consider submitting a feature request to Google Chronicle for a dedicated "multi-question" action or the ability to group GeneralQuestion actions. This can help prioritize the development of such functionality in future releases.

Hi @donkos,

Out of the box there isn’t a way to achieve this via asking a direct question that contains sub questions. However, how about using case comments. 

INSTRUCTION ACTION - mentioning to use the case comments to place their investigation, each comment relates to a separate step ( for example if your referring to a framework such as NIST, first comment should be identify, second Protect, third Detect, etc) -> SAME INSTRUCTION ACTION, user clicks ‘done’ once they’ve finished with their instructions -> GET CASE DATA ACTION, to then use the get case data to identify the response per comment) -> RENDER TEMPLATE FROM ARRAY, could be used to render the jsonresult from get case data to present the data using JINJA if you want conditional logic, and could be used in a further html widget for example

Hope this workaround helps and is suffice 🙂

Kind Regards,

Ayman

As above, it's not something we do today, but this use-case is acknowledged by PM for future consideration.

Thanks @dnehoda - could you provide an example of what you mean by custom update fields?

Hello.  One option would be to create a custom action that acts as a form.   There are lots of different input parameter types available in the IDE (Boolean, Multi-Select, List, etc).   

"Subquestions" would probably still need to be handled with conditionals and separate playbooks steps. 

Here's a basic code example (make sure to also add the corresponding parameters themselves): 

from SiemplifyAction import SiemplifyAction
from SiemplifyUtils import unix_now, convert_unixtime_to_datetime, output_handler
from ScriptResult import EXECUTION_STATE_COMPLETED, EXECUTION_STATE_FAILED,EXECUTION_STATE_TIMEDOUT
import json

@output_handler
def main():
siemplify = SiemplifyAction()

question1 = siemplify.extract_action_param("q1", print_value=True)
question2 = siemplify.extract_action_param("q2", print_value=True)
multi = siemplify.extract_action_param("multi", print_value=True)

json_results = {
    'question1': question1,
    'question2': question2,
    'multi': multi
}

status = EXECUTION_STATE_COMPLETED # used to flag back to siemplify system, the action final status
output_message = "output message :" # human readable message, showed in UI as the action result

result_value = json.dumps(json_results) # Set a simple result value, used for playbook if\\else and placeholders.
siemplify.result.add_result_json(result_value)

siemplify.LOGGER.info("\\n status: {}\\n result_value: {}\\n output_message: {}".format(status,result_value, output_message))
siemplify.end(output_message, result_value, status)

if __name__ == "__main__":
main()

Parameter definition in the IDE: 

Playbook user entry: 

Placeholder reference in subsequent playbook actions: 

[Siemplify_kmquestions_1.JsonResult| "question1"]