When an alert is generated, context data is captured from the alert fields and from any automations, such as commands, playbooks, correlation rules, and scripts. Context data includes keys (strings) and values (numbers, maps, arrays, and strings).
To see context data for an alert, open the alert investigation panel by clicking on the Investigate icon . Then, click on the Alert Context Data icon .
Consider the following information when working with context data:
When an alert is created, the alert field data is stored under the
alert
key in the context data. When an investigation is opened and commands are run, the data returned from those commands is stored outside of the mainalert
key.Alert context data is split into two tabs. The Alert tab contains the context data from the alert fields and the commands run on the alert. The Incident tab contains the parent incident fields and other incident data. None of this data is added to the context data for the parent incident unless you add it.
You can add keys and values to the context data. This is useful when developing playbooks, and other automations. For more information, see Add context data to an alert.
When running automations on an alert, the alert can access context data from its parent incident; however, it cannot access context data from other alerts. If you want to use context data from other alerts, add it to the parent incident.
The following example shows alert context data where the alert
key contains the data stored in the alert fields and the Account
key contains alert data from running commands.