Incident context data - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Context data is written to alerts and not to incidents. Therefore, the incident context might be empty unless you previously added context data to the incident.

To see context data for an incident, click on an incident to open it in the incident investigation panel. Then, click on the Incident Context Data icon context_data_icon.png.

Adding context data from alerts to a parent incident can help you with the following tasks:

  • Remediation: You can add context data from an alert, such as the alert status, actions, or ID, to its parent incident's context data. This allows other playbooks to use the parent incident context.

    For example, if you have multiple alerts in an incident, you can add context data from each of the alerts to the parent incident. You can then use the incident context data in playbooks, and avoid running duplicate actions on the alerts.

  • Incident assignment: You can see if an analyst has been assigned to the incident or other alerts.

  • Insights at the incident level: For automation engineers, you can set responses based on characteristics in the incident.

For more information, see Add context data to an incident.