Learn how to use context data in playbook tasks, and how to update context data from a playbook.
In Cortex XDR you can use context data (from an issue or case) in playbooks, and you can use playbook tasks to update context data. You can:
Use the information stored in the issue context data as task inputs and outputs in a playbook.
To access data that is stored in the issue context data, use the keyword
issue.Example 127.To access a the
statusvalue in the issue context data, use the following syntax:${issue.status}To access data that is stored in the parent case context data, use the keyword
parentIncidentContext.Example 128.To access the
hostnamevalue in the case context data, use the following syntax:${parentIncidentContext.hostname}
Set a breakpoint in a playbook that reviews context data after a specific task.
This is available when using the debugger. As context data may be updated during a playbook run, setting a breakpoint enables you to pause the playbook execution, review the context data, and take action if necessary. Breakpoints can be useful when designing and troubleshooting playbooks. For more information, see Test your playbook.
Add a task that writes playbook data to the case context.
When you add data to the case context, you can use this data to run playbooks on any of the issues that are included in the case.
To write playbook data to the case context, use the
setParentIncidentContextscript in a standard task. For more information, see Add context data to a case.Caution
Users with Trigger Playbook permissions on a given issue may still be able to modify the parent case via commands and scripts, even without full access to the case.
For more information about playbooks, see Playbooks overview.
Context data in sub-playbooks
By default, the context data for sub-playbooks is stored in a separate context key. Consider the following information:
When a task in a main playbook accesses context data, it does not have direct access to sub-playbook data.
When a task in a sub-playbook accesses context data, it does not have direct access to the main playbook data.
If the sub-playbook has been configured to share globally, the sub-playbook context data is available to the main playbook and vice versa.
Use case: Use context data in a Jira ticketing system
In this use case, a Jira ticketing system is used to manage issues and reduce duplicate tickets.
Issue: When an action is taken on an endpoint, some cases contain multiple issues for the same endpoint. If each issue runs a playbook on the same endpoint, duplicate tickets are created for each case.
Solution: This playbook checks existing endpoints and Case IDs and decides whether to create a new ticket or to add the data to an existing ticket, and therefore, reduces duplicate tickets in the case.
The playbook flow is described in the following steps:
After checking that the Jira v3 integration is enabled, in this task the playbook adds the
EndpointFromAlertskey to the case context by retrieving thealert.hostnameand using thesetParentIncidentContextscript.In this task, the playbook checks if there is an open ticket for the case by retrieving the
parentIncidentContext.TicketID.If there is no open ticket, a new ticket is created in Jira and the TicketID is added to the case context.
If there is an open ticket, this task checks whether there is an open ticket for the endpoint by comparing the
alert.hostname(issue endpoint) to theparentIncidentContent.EndpointFromAlertskey.After retrieving the
alert.hostnamein theparentIncidentContext.EndpointFromAlertscontext, if there is no open ticket for the endpoint, the playbook updates the Jira ticket for the case.In this example, you can see that the
EndpointFromAlertsandTicketIDhas been added to the case context data.