Extend Context in a Playbook Task - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-04-17
Last date published
2024-07-11
Category
Administrator Guide
Solution
Cloud
Abstract

Extend context to retrieve additional data from integrations or commands and map to fields. Extend context in a playbook task.

You can extend context either in a playbook task, or directly from the command line. Whichever method you use, Cortex XSOAR recommends that you first run your command with the raw-response=true flag. This helps you identify the information that you want to add to your extended data.

  1. Go to the Advanced tab of the relevant playbook task.

  2. In the Extend Context field, enter the name of the field in which you want the information to appear and the value you want to return.

    The following image shows the result of the !IPReputation ip=20.8.1.5 raw-response=true command, which extends the context of the field name ip with the IP address 20.8.1.5.

    playbook-extend-context.png

    To include more than one field, separate the fields with a double colon. For example: attributes=displayName::manager=attributes.manager

  3. To output only the values for Extend Context and ignore the standard output for the command, select the Ignore Outputs checkbox.

    While this will improve performance, only the values that you request in the Extend Context field are returned. You cannot use Field Mapping as there is no output to which to map the fields.