Skip to main content

Unresolved Expression in Google SecOps Playbook Output After Action Failure

  • June 27, 2025
  • 1 reply
  • 29 views
shubham8agar
Forum|alt.badge.img+5

I'm working with Google SecOps (Chronicle SOAR) playbooks, and I've noticed that when an action fails, the output sometimes still shows the expression in its raw form, like:

[Action_Name_Get Question Results_1.JsonResult]

Instead of resolving to None or an empty string, it just stays as-is. This causes issues when referencing the output in later steps or logs.

My questions are:

  1. Is this the expected behavior when an action fails?
  2. What’s the best practice to handle such cases ?
  3. Are there any built-in functions or patterns in SecOps playbooks to gracefully handle failed action outputs?

1 reply

ylandovskyy
Staff
Forum|alt.badge.img+16

Hey @shubham8agar ,

My suggestion would be to make a condition like "[Action_Name_Get Question Results_1.JsonResult]" Contains "{" before running an action that will depend on the output of the previous one. 

The provided condition will only make a match, when there is a valid JSON object in the response of the action.

Let me know, if it will work for you!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.