Add context data to an incident - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-06-18
Category
Administrator Guide
Abstract

Use a script, command, or playbook to add context data to an incident to be used in playbooks or other automations.

You can add keys and values to an incident’s context data to be used in playbooks or other automations. By default, context data is added to alerts only. To run automations on an incident, add context data to the incident from its related alerts.

To add context data to an incident, run the setParentIncidentContext command in the CLI, in a script, or in a playbook task.

Run the !setParentIncidentContext command in the alert War Room or the Incident War Room.

Note

If you run the command in the alert War Room, the data is added to the following places:

  • The incident context data.

  • The alert context data under the incident tab.

If you run the command in the Incident War Room, the data is added to the incident context data only.

Use the alert War Room
  1. Identify an alert and click Investigate_icon.png to Investigate the alert.

  2. In the alert investigation panel, select the War Room tab.

  3. Run the !setParentIncidentContext command.

    Example 25. Example

    The following example adds the key and value hello:world to the incident and alert context data.

    !setParentIncidentContext key="hello" value="world"

Use the Incident War Room
  1. In the incident investigation panel, select the Incident War Room tab.

  2. Run the !setParentIncidentContext command.

    Example 26. Example

    The following example adds the key and value hello:world to the incident context data.

    !setParentIncidentContext key="hello" value="world"

In the JSON file, add setParentIncidentContext to the demisto.executeCommand key.

Example 27. Example

The following example adds the key and value hello:world to the incident or alert context data.

demisto.executeCommand("setParentIncidentContext", {"key":"hello", "value":"world"})

When a playbook runs, the playbook data is written to the alert context data. To write the data to the parent incident context data, use the setParentIncidentContext script in a standard task.

Example 28. 

The following example adds the TicketID to the incident context. To see a full use case that includes this standard task, see Use context data in a playbook.

jira-task-ticket.png