Extend Context - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Extend context to retrieve specific information from integrations or commands and map to fields.

By design, integrations do not write all of the data returned from a command to the context. This prevents large context size and enables you to store only the most relevant information.

The Extend Context feature enables you to save additional data from the raw response of the command. For example, when a command runs to retrieve events from a SIEM, only some of the event fields are written to context, according to the integration design. With Extend Context, you can save additional fields specific to your use case.

Extend Context can also be used when the same command is run multiple times in the same playbook, but the outputs need to be saved to different context keys. For example, you might want to execute the !ad-get-user command twice, once to retrieve the user's information and again to retrieve the user's manager’s information. By default an integration command writes the data from the same command to the same context key. By using Extend Context, you can write the command’s response to a custom context key of your choice.

You can Extend Context either in a playbook task or directly from the command line.