Search context data - Use Query to search for specific items in the context data of an incident or alert. - Administrator Guide - Cortex XSIAM - Cortex

Search context data - Use Query to search for specific items in the context data of an incident or alert. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-04-21

Category

Administrator Guide

Abstract

Use Query to search for specific items in the context data of an incident or alert.

You can use Query to search within the context data JSON for specific items and expand nested keys. Open the context data panel for an alert or incident, as explained in Alert context data or Incident context data, and type in the Search field.

Example context:

{
  "HelloWorld": {
    "Alerts": [
      {
        "name": "Example 1",
        "alert_status": "ACTIVE"
      },
      {
        "name": "Example 2",
        "alert_status": "CLOSED"
      },
      {
        "name": "Example 3",
        "alert_status": "ACTIVE"
      }
    ]
  }
}

Search examples:

${c} finds the value of the object c.
${HelloWorld.Alert(val.name == 'Example 1')} shows the full object for the alert named "Example 1", as stored in the context data.
${HelloWorld.Alert(val.alert_status === "ACTIVE")} shows the full object for all alerts in context with status "ACTIVE".
${HelloWorld.Alert(val.alert_status == 'ACTIVE').name} fetches the HelloWorld.Alert.name of all alerts in context with status "ACTIVE".