Context standards - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

How incident data is structured when it is extracted into the incident Context tree of objects.

Cortex XSIAM organizes incident data in a tree of objects called the incident context. Any integration commands or scripts that run add data into the context at a predefined location. This also applies to commands that run within playbook execution. 

The context stores the results from every integration command and every automation script that runs. It is a JSON storage for each incident. Whether you run an integration command from the CLI or from a playbook task, the output result is stored into the JSON context in the incident or the playground. For example, a command like !whois query="cnn.com" returns the data and store the results into the context.

When building new integrations the entry context should be returned according to this standard in addition to the vendor specific context.

The structure should be:

  {
  "Object": {
    ...
  },
  "Vendor": {
    "Object": {
      ...
    }
  }

}

Some standard objects are mandatory and enforced in the code, and some are recommended.