Alert context data - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

When an alert is generated, context data is captured from the alert fields and from any automations, such as commands, playbooks, correlation rules, and scripts. Context data includes keys (strings) and values (numbers, maps, arrays, and strings).

To see context data for an alert, open the alert investigation panel by clicking on the Investigate icon Investigate_icon.png. Then, click on the Alert Context Data icon context_data_icon.png.

Consider the following information when working with context data:

  • When an alert is created, the alert field data is stored under the alert key in the context data. When an investigation is opened and commands are run, the data returned from those commands is stored outside of the main alert key.

  • Alert context data is split into two tabs. The Alert tab contains the context data from the alert fields and the commands run on the alert. The Incident tab contains the parent incident fields and other incident data. None of this data is added to the context data for the parent incident unless you add it.

  • You can add keys and values to the context data. This is useful when developing playbooks, and other automations. For more information, see Add context data to an alert.

  • When running automations on an alert, the alert can access context data from its parent incident; however, it cannot access context data from other alerts. If you want to use context data from other alerts, add it to the parent incident.

Example 21. 

The following example shows alert context data where the alert key contains the data stored in the alert fields and the Account key contains alert data from running commands.