Learn how to use context data in playbook tasks, and how to update context data from a playbook.
In Cortex XSIAM you can use context data (from an alert or incident) in playbooks, and you can use playbook tasks to update context data. You can:
Use the information stored in the alert context data as task inputs and outputs in a playbook.
To access data that is stored in the alert context data, use the keyword
alert
.Example 49.To access a the
status
value in the alert context data, use the following syntax:${alert.status}
To access data that is stored in the parent incident context data, use the keyword
parentIncidentContext
.Example 50.To access the
hostname
value in the incident context data, use the following syntax:${parentIncidentContext.hostname}
Set a breakpoint in a playbook that reviews context data after a specific task.
This is available when using the debugger. As context data may be updated during a playbook run, setting a breakpoint enables you to pause the playbook execution, review the context data, and take action if necessary. Breakpoints can be useful when designing and troubleshooting playbooks. For more information, see Debug your playbook.
Add a task that writes playbook data to the incident context.
When you add data to the incident context, you can use this data to run playbooks on any of the alerts that are included in the incident.
To write playbook data to the incident context, use the
setParentIncidentContext
script in a standard task. For more information, see Add context data to an incident.Caution
Users with Trigger Playbook permissions on a given alert may still be able to modify the parent incident via commands and scripts, even without full access to the incident.
For more information about playbooks, see What is a playbook?.
Context data in sub-playbooks
By default, the context data for sub-playbooks is stored in a separate context key. Consider the following information:
When a task in a main playbook accesses context data, it does not have direct access to sub-playbook data.
When a task in a sub-playbook accesses context data, it does not have direct access to the main playbook data.
If the sub-playbook has been configured to share globally, the sub-playbook context data is available to the main playbook and vice versa.
Note
Generic polling does not work if a playbookâs context data is shared globally. For more information, see Playbook polling.