Extend context - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Extend context to retrieve specific information from integrations or commands and map to fields.

By design, integrations do not write all of the data returned from a command to the context. This prevents large context size and enables you to store only the most relevant information.

The Extend Context feature enables you to save additional data from the raw response of the command. For example, when a command runs to retrieve events from a SIEM, only some of the event fields are written to context, according to the integration design. With Extend Context, you can save additional fields specific to your use case.

Extend Context can also be used when the same command runs multiple times in the same playbook, but the outputs need to be saved to different context keys. For example, you can execute the !ad-get-user command twice, once to retrieve the user's information and again to retrieve the user's manager’s information. By default, an integration command writes the data from the same command to the same context key. By using Extend Context, you can write the command’s response to a custom context key of your choice.

You can extend context either in a playbook task or directly from the command line. Whichever method you use, first run your command with the raw-response=true flag. This helps you identify the information that you want to add to your extended data.

Filter for specific keys from lists of dictionaries

You can use DT to get select keys of interest from a command that returns a list of dictionaries containing many keys. For example, the findIndicators automation returns a long list of indicator properties, but you may only be interested in saving the value and the indicator_type to minimize the size of the context data. For more information about DT, see Cortex XSOAR Transform Language (DT).

Example 15. 
  1. Run the command !findIndicators size=2 query="type:IP" raw-response=true.

    You will see a list of two dictionaries containing 20+ items.

  2. Use the following value for extend-context to save only value and indicator_type into a context key called FoundIndicators:

    !findIndicators size=2 query="type:IP" extend-context=`FoundIndicators=.={"value": val.value, "indicator_type": val.indicator_type}`
  3. Use the following value for extend-context to save only the incident name, status, and id to a key called FoundIncidents:

    !SearchIncidentsV2 id=<ANY_INCIDENT_ID> extend-context=`FoundIncidents=Contents.data={"name": val.name, "status": val.status, "id": val.id}` ignore-outputs=true

  1. Go to the Advanced tab of the relevant playbook task, such as a Data Collection task.

  2. In the Extend Context field, enter the name of the field in which you want the information to appear and the value you want to return. For example, using the !ad-get-user command, enter name="john" attributes=displayname to place the user's name in the displayName key.

    The following image shows the result of the !IPReuptation ip=20.8.1.5 raw-response=true command.

    extend-context-pb.png

    To include more than one field, separate the fields with a double colon. For example: attributes=displayName::manager=attributes.manager

  3. To output only the values for Extend context and ignore the standard output for the command, select the Ignore Outputs checkbox.

    While this will improve performance, only the values that you request in the Extend Context field are returned. You cannot use Field Mapping as there is no output to which to map the fields.

Extend context using the CLI
  1. Run your command with the extend-context flag !<commandName> <argumentName> <value>extend-context=contextKey=JsonOutputPath.

    For example, to add the user and manager fields to context use the ad-get-user command, as follows:

    !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName

  2. To output only the values that you set as Extend context, run the command with the ignore-ouput flag=true. !ad-get-user=${user.manager.username} extend-context=manager=attributes.manager::attributes=displayName ignore-output=true

Example 16. Extend context using the CLI with the IBM Qradar v3 integration instance

By default, after adding an IBM Qradar v3 integration instance, incidents pulled from QRadar to Cortex XSOAR return multiple fields, including event_count, device_count, offense_type, description. You can use extend context to show which additional information is available. You can also use that information to map it to a field in Cortex XSOAR.

  • Run the command !qradar-offenses-list raw-response="true". From the context data, you should see that multiple fields are returned.

  • Identify the fields that you want to view and run your command. For example, to retrieve the number of devices affected by a given incident, as well as the domain in which those devices reside, run the following command:

    !qradar-offences-list extend-context=device-count=device_count::domain_id=domain_id