Context and outputs - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

The context map stores results from integration commands and scripts and is used to pass data between playbook tasks.

The context is a map (dictionary) / JSON object that is created for each incident and is used to store structured results from integration commands and automation scripts. Context keys are strings and the values can be strings, numbers, objects, and arrays/lists.

The main use of the context is to pass data between playbook tasks. One task stores its output in the context and another task reads that output from the context and uses it.

For example, the ThreatStream integration includes the threatstream-analysis-report command, which returns the report of a file or URL that was submitted to the sandbox.

Context Use Cases

Important

When setting integration_name with the vendor value, it must match the name of the integration as defined in the YAML file.