Extend Context using the Command Line - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-10-07
End_of_Life
EoL
Category
Administrator Guide
Abstract

Extend context to retrieve additional data from integrations or commands and map to fields. Extend context from the Cortex XSOAR command line (CLI).

You can extend context either in a playbook task, or directly from the command line. Whichever method you use, Cortex XSOAR recommends that you first run your command with the raw-response=true flag. This will help you identify the information that you want to add to your extended data.

  1. Run your command with the extend-context flag !<commandName> <argumentName> <value>extend-context=contextKey=JsonOutputPath.

    For example, to add the user and manager fields to context use the ad-get-user command, as follows:

    !ad-get-user username=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName

  2. To output only the values that you set as Extend context, run the command with the ignore-output flag=true. !ad-get-user username=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName ignore-output=true

Example

By default, after adding the IBM Qradar v3 integration instance, offenses pulled from QRadar to Cortex XSOAR return a number of fields, including event count, offense type, description, etc. You can use extended context to show which additional information is available and also use that information to map it to a field.

  • Run the command !qradar-offenses raw-response="true". From the context data, you see that there are a number of additional fields that are retrieved.

  • Identify the fields that you want to add and run your command. For example, to retrieve the number of devices affected by a given offense, as well as the domain in which those devices reside, run the following command: !qradar-offenses extend-context=device-count=device_count::domain-id=domain_id

The following image shows how to create an extended context key from the CLI in the playground.

playbook-extend-context-cli.png