Skip to main content

I'm working with Google SecOps (Chronicle SOAR) playbooks, and I've noticed that when an action fails, the output sometimes still shows the expression in its raw form, like:

[Action_Name_Get Question Results_1.JsonResult]

Instead of resolving to None or an empty string, it just stays as-is. This causes issues when referencing the output in later steps or logs.

My questions are:

  1. Is this the expected behavior when an action fails?
  2. What’s the best practice to handle such cases ?
  3. Are there any built-in functions or patterns in SecOps playbooks to gracefully handle failed action outputs?

Hey @shubham8agar ,


My suggestion would be to make a condition like "[Action_Name_Get Question Results_1.JsonResult]" Contains "{" before running an action that will depend on the output of the previous one. 

The provided condition will only make a match, when there is a valid JSON object in the response of the action.

Let me know, if it will work for you!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.