Use context data in a playbook - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-11-07
Category
Administrator Guide
Abstract

Learn how to use context data in playbook tasks, and how to update context data from a playbook.

In Cortex XSIAM you can use context data (from an alert or incident) in playbooks, and you can use playbook tasks to update context data. You can:

  • Use the information stored in the alert context data as task inputs and outputs in a playbook.

    • To access data that is stored in the alert context data, use the keyword alert.

      Example 49. 

      To access a the status value in the alert context data, use the following syntax:

      ${alert.status}

    • To access data that is stored in the parent incident context data, use the keyword parentIncidentContext.

      Example 50. 

      To access the hostname value in the incident context data, use the following syntax:

      ${parentIncidentContext.hostname}

  • Set a breakpoint in a playbook that reviews context data after a specific task.

    This is available when using the debugger. As context data may be updated during a playbook run, setting a breakpoint enables you to pause the playbook execution, review the context data, and take action if necessary. Breakpoints can be useful when designing and troubleshooting playbooks. For more information, see Debug your playbook.

  • Add a task that writes playbook data to the incident context.

    When you add data to the incident context, you can use this data to run playbooks on any of the alerts that are included in the incident.

    To write playbook data to the incident context, use the setParentIncidentContext script in a standard task. For more information, see Add context data to an incident.

    Caution

    Users with Trigger Playbook permissions on a given alert may still be able to modify the parent incident via commands and scripts, even without full access to the incident.

For more information about playbooks, see What is a playbook?.

Context data in sub-playbooks

By default, the context data for sub-playbooks is stored in a separate context key. Consider the following information:

  • When a task in a main playbook accesses context data, it does not have direct access to sub-playbook data.

  • When a task in a sub-playbook accesses context data, it does not have direct access to the main playbook data.

  • If the sub-playbook has been configured to share globally, the sub-playbook context data is available to the main playbook and vice versa.

Note

Generic polling does not work if a playbook’s context data is shared globally. For more information, see Playbook polling.