Incident Context Data - Administrator Guide - 6.11 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.11
Creation date
2022-12-12
Last date published
2024-03-28
Category
Administrator Guide
Abstract

Learn about incident context data, how it is stored in Cortex XSOAR, and how to access it.

Context data is a map (dictionary) that stores structured results from data, such as commands, playbooks, and scripts. Context data includes keys (strings) and values (strings, numbers, maps, and arrays).

You can use context data to pass data between playbook tasks and capture important structured data and display it in the incident layout. Context data acts as an incident data dump from which you can map data into incident fields using a script. When an incident is generated in Cortex XSOAR and a playbook or analyst begins investigating it, context data will be written to the incident to assist with the investigation and remediation process.

Add context data to the incident using the CLI

Run the Set automation script to add data to the incident by setting a value in the context under a specific key. For example, !set key=hello value=world adds the key and value hello:world to the context.

Note

All incident data stored in incident fields are also stored in the context data. In most cases, however, not all context data is stored in incident fields. Incident fields represent a subset of the total incident data.

Add context data using a playbook

In a playbook, context data can be used as follows:

  • When configuring playbook tasks, you can use information stored in the incident context as task inputs and/or outputs. You can, optionally, apply filters and transformers to context data before using the data in playbook tasks.

  • You can also view context data while running a playbook using the debugger. Since context data may be updated during a playbook run, you can set a breakpoint to view the context data after a specific task, which can be useful for designing and troubleshooting playbooks.

By default, context data for sub-playbooks is stored in a separate context key. When a task in a main playbook accesses context data, it does not have direct access to sub-playbook data. When a task in a sub-playbook accesses context data, it does not have direct access to the main playbook data. If, however, the sub-playbook has been configured to share globally, the sub-playbook context data is available to the main playbook and vice versa.

Note

Generic polling does not work if a playbook’s context data is shared globally.

Add context data using a script

In any script that runs in an incident, the data is written to the context. For example, demisto.executeCommand("set", {"key":"<key>", "value":"<value>"}). For more information, see Set Command.

Integrations

When an incident is created, the incident data is stored in the context data, under the incident key. When an investigation is opened and integration commands are run, the data returned from those commands is also stored as context data, outside of the main incident key. In the example below, you can see the original incident data stored under the incident key and the data from the integrations, such as Wildfire, stored separately within the context data under their own keys.

context-data-example.png

For more information on how to use context data, including examples and use cases, see Context and Outputs.

Search context data

To view context data from within an incident, click on the blue-gear-icon.pngmenu and select Context Data from the drop-down. In the Context Data pane, you can use jQuery to search within the JSON for specific items and expand nested keys.

Search examples:

  • ${c} finds the value of the object c.

  • ${HelloWorld.Domain(val.domain == 'example.com')} shows the full object for the example.com domain, as stored in the context data by the domain command that is part of the HelloWorld integration.

  • ${HelloWorld.Domain(val.domain == 'example.com').registrar} shows the registrar for the example.com domain, as stored in the context data by the domain command that is part of the HelloWorld integration.

  • ${HelloWorld.Alert(val.alert_status === "ACTIVE").alert_id} fetches the HelloWorld.Alert.alert_id of all ACTIVE alerts.

You can also write jQuery scripts using complex logic to access, aggregate, and change context data. For more information, see Cortex XSOAR Transform Language (commonly referred to as DT).