Extend context in a playbook task - Playbook Design Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Playbook Design Guide

Product
Cortex XSIAM
Creation date
2023-05-29
Last date published
2024-09-01
Category
Playbook Design Guide
Abstract

Extend context to retrieve additional data from integrations or commands and map to fields. Extend context in a playbook task.

You can extend context either in a playbook task or directly from the command line. Whichever method you use, recommends that you first run your command with the raw-response=true flag. This helps you identify the information that you want to add to your extended data.

  1. Go to the Advanced tab of the relevant playbook task, such as a Data Collection task.

  2. In the Extend Context field, enter the name of the field in which you want the information to appear and the value you want to return. For example, using the !ad-get-user command, enter name="john" attributes=displayname to place the user's name in the displayName key.

    The following image shows the result of the !IPReuptation ip=20.8.1.5 raw-response=true command.

    extend-context-pb.png

    To include more than one field, separate the fields with a double colon. For example: attributes=displayName::manager=attributes.manager

  3. To output only the values for Extend context and ignore the standard output for the command, select the Ignore Outputs checkbox.

    While this will improve performance, only the values that you request in the Extend Context field are returned. You cannot use Field Mapping as there is no output to which to map the fields.