End-of-Life (EoL)

Extend Context using the Command Line

You can extend context either in a playbook task, or directly from the command line. Whichever method you use, Cortex XSOAR recommends that you first run your command with the
flag. This will help you identify the information that you want to add to your extended data.
  1. Run your command with the extend-context flag
    <argumentName> <value>
    For example, to add the user and manager fields to context use the ad-get-user command, as follows:
    !ad-get-userusername=${user.manager.username} extend-context=manager=attributes.manager::user=attributes.displayName
  2. To output only the values that you set as Extend context, run the command with the ignore-ouput flag=true.
    !ad-get-userusername=${user.manager.username} extend-context=manager=attributes.manager::user=attributes.displayName ignore-output=true


By default, offenses pulled from QRadar to Cortex XSOAR return 11 fields, including event count, offense type, description, and more. In the following example, we use extended context to show which additional information is available and how to map it to a field:
  • Run the command
    !qradar-offenses raw-response="true"
    . You see that there are an additional 20 fields or so that are retrieved.
  • Identify the fields that you want to add and run your command. For example, to retrieve the number of devices affected by a given offense, as well as the domain in which those devices reside, run the following command:
    !qradar-offenses extend-context=device-count=device_count::domain-id=domain_id
The following image shows how to create an extended context key from the CLI in the playground.

Recommended For You