Use incident context data - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-14
Category
Administrator Guide
Solution
Cloud
Abstract

Use context data to customize your incident layout and to populate your incidents in Cortex XSOAR.

Context data is a map (dictionary) that stores results from data, such as commands, playbooks, and scripts in a structured format. Context data includes keys (strings) and values (strings, numbers, maps, and arrays). Context data at its core is a large JSON structure, which represents all the data that is part of an incident. All incidents have context data.

You can use context data to pass data between playbook tasks, capture important structured data, and display it in the incident layout. Context data acts as an incident data dump from which you can map data into incident fields. When an incident is generated in Cortex XSOAR and a playbook or analyst begins investigating it, context data will be written to the incident to assist with the investigation and remediation process.

When an incident is created, the incident data is stored in the context data, under the incident key. When an investigation is opened and integration commands are run, data returned from those commands is also stored outside of the main incident key. In the following example, you can see the original incident data stored under the incident key and the data from the integrations, such as Wildfire, stored separately within the context data under their keys.

context-data-example.png

Consider the following when working with context data:

  • Add keys and values to the context data, such as the incident status, actions, and ID. This is useful when developing playbooks, and other scripts.

  • Add context data to incident fields in a layout to capture important and relevant information to assist with investigation and remediation.

Search context data

To view context data from within an incident, click on the Side panels menu and select Context Data from the dropdown. In the Context Data pane, you can use Query to search within the JSON for specific items and expand nested keys.

Example 2. 
  • ${c} finds the value of the object c.

  • ${HelloWorld.Domain(val.domain == 'example.com')} shows the full object for the example.com domain, as stored in the context data by the domain command that is part of the HelloWorld integration.

  • ${HelloWorld.Domain(val.domain == 'example.com').registrar} shows the registrar for the example.com domain, as stored in the context data by the domain command that is part of the HelloWorld integration.

  • ${HelloWorld.Alert(val.alert_status === "ACTIVE").alert_id} fetches the HelloWorld.Alert.alert_id of all ACTIVE alerts.

You can also write jQuery scripts using complex logic to access, aggregate, and change context data. For more information, see Cortex XSOAR Transform Language (commonly referred to as DT).


Customize incident fields and layouts using context data

When fetching incidents from an integration, some important data may not have been picked up in the incident layout. For example, the context data may return the source user, event type, URL category, and suspicious URL but these fields may not appear as fields or in the layout. For more information about customization, see Incident Customization.

Use context data in a playbook

The main use of context data is to pass data between playbook tasks, one task stores its output in the context and the other reads that output from the context and uses it. For more information about how to use context data, including examples and use cases, see Context and Outputs.

In a playbook, you can use context data in the following situations:

  • Inputs and outputs in playbook tasks

    You can use the information stored in the incident context and apply filters and transformers to context data before using the data in playbook tasks.

  • Write playbook data to the incident context

    Add a task to use context data to run additional playbooks as required.

  • Test playbooks by using the playbook debugger

    While running a playbook using the playbook debugger. As context data may be updated during a playbook run, set a breakpoint to view the context data after a specific task, which can be useful for designing and troubleshooting playbooks.

By default, context data for sub-playbooks is stored in a separate context key. When a task in a sub-playbook accesses context data, it does not have direct access to the main playbook data. If, however, the sub-playbook has been configured to share globally, the sub-playbook context data is available to the main playbook and vice versa.

Note

Generic polling does not work if a playbook’s context data is shared globally. For more information, see Playbook polling.

Use context data in a script

In any script that runs in an incident, the data is written to the context. For example, demisto.executeCommand("set", {"key":"<key>", "value":"<value>"}). For more information, see Set Command.

Add/delete context data using the CLI

To add context data to an incident, run the Set command in the CLI. The Set command enables you to set a value under a specific key. For more information about the Set command, see Set Command.

In the incident that you are investigating run the !Set command. For example, to add the key and value hello:world to the context data, run the following command:

!Set key="hello" value="world"

Note

All incident data stored in incident fields are also stored in the context data. In most cases, however, not all context data is stored in incident fields. Incident fields represent a subset of the total incident data.

In the incident context data you want to delete, run the DeleteContext command in the CLI. For example, to delete the key and value hello:world from the context data, run the following command:

!deleteContext="hello"