Hi guys,

here I come with another annoying problem within playbook development in Chronicle SOAR..

Yesterday I needed to execute a UDM query into Chronicle SIEM from one of our playbooks. First try it worked very well, the query found some results and then I added those results on the case screen as insights.

Then comes the exception of the query that didn't find any result. As you may know the action "Execute UDM query" from Google Chronicle integration returns two values: is_success and JSON_result. The first one is meant to catch any error on the API request, the second one should contain the results of the query itself. 

I discovered that when the query doesn't find any result, the field "JSON_result" is not instantiated.

The result is that when I use placeholder values to add the insight if "JSON_result" doesn't exist I find in the insight something like "[Execute Query for last 24h logins.JsonResult| "events.udm.principal.location.countryOrRegion" | distinct()]". 

Why don't initialize the variable JSON_result as empty? How am I supposed to check if the query returned something before I put It on the insight?

This is another of the large number of small things that unfortunately make this product not user-friendly at all.. Every time I need to add some small components to my playbooks I need to struggle with these annoying issues 😞 

Chronicle SIEM should be the better-developed integration for SOAR solution...

I hope that someone came across this problem before me and had a solution.