Extend context to retrieve specific information from
integrations or commands and map to fields. Cortex XSOAR playbooks
There are situations where the data returned
by an integration or command is not exactly what you need. For example,
when you run the command
you receive information about the user's dn, email, and more. You
may only want the name of the user's manager and you may want to
store that information in a specific field.
Cortex XSOAR enables you to do that using the Extend Context
feature. Extend Context can be used as in the situation above, or
when you want to run a command multiple times and save the output
to a different key each time. Using the
run the command once to retrieve the user, and once to retrieve
the user's manager.
There are situations where an integration is configured to display
only some of the information that you retrieved. The information
is shown in context-data, but there is more available. For example,
when you run a command to retrieve offenses from a SIEM, only some
of the information is displayed, per the configuration of the instance.
You can use Extend Context to retrieve the additional information
and place it in a new field.
By default, when you run a command, either from the command line
or as part of a script or playbook, a subset of JSON fields are
returned. To display the full JSON response, run the command using