Add context data to an alert - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-06-18
Category
Administrator Guide
Abstract

Use a script, command, or playbook to add context data to an alert to be used in playbooks or other automations.

You can add keys and values to an alert’s context data to be used in playbooks or other automations.

To add context data to an alert, run the Set command in CLI, in a script, or in a playbook task. The Set command enables you to set a value under a specific key. For more information about the Set command, see Set.

Run the !Set command in the alert War Room.

  1. Identify an alert and click Investigate_icon.png to Investigate the alert.

  2. In the alert investigation panel, select the War Room tab.

  3. Run the !Set command.

    Example 22. Example

    The following example adds the key and value hello:world to the alert context data.

    !Set key="hello" value="world"

In the JSON file, add Set to the demisto.executeCommand key.

Example 23. Example

The following example adds the key and value hello:world to the alert context data.

demisto.executeCommand("Set", {"key":"hello", "value":"world"})

Use the Set script in a standard task.

Example 24. Example

An alert’s context data contains the following values:

{  
   "Account":
    {
      "firstName": "Bob",
      "lastName": "Jones",
    }
}

For an automation, you need to use the full name value. You can use the Set script to add an new fullName value to the JSON:

Set_script_in_PB.png

Result:

{  
   "Account":
    {
      "firstName": "Bob",
      "fullName": "Bob Jones"
      "lastName": "Jones",
    }
}