https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/playbook-to-enrich-dataset-data-into-alert-context/m-p/1243685#M8912 <P>Hi,</P> <P>Is anyone able to guide me on how to achieve this perhaps?</P> <P>I want to ran a task in a playbook that will do a custom query in a dataset and pull information and add it to the alert context data.. is this possible and if so guidelines would be appreciated.&nbsp;</P> <P>thanks in adv</P> Thu, 11 Dec 2025 06:58:25 GMT PA_nts 2025-12-11T06:58:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/playbook-to-enrich-dataset-data-into-alert-context/m-p/1243685#M8912 <P>Hi,</P> <P>Is anyone able to guide me on how to achieve this perhaps?</P> <P>I want to ran a task in a playbook that will do a custom query in a dataset and pull information and add it to the alert context data.. is this possible and if so guidelines would be appreciated.&nbsp;</P> <P>thanks in adv</P> Thu, 11 Dec 2025 06:58:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/playbook-to-enrich-dataset-data-into-alert-context/m-p/1243685#M8912 PA_nts 2025-12-11T06:58:25Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/playbook-to-enrich-dataset-data-into-alert-context/m-p/1244567#M8928 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306035">@PA_nts</a>&nbsp;</P> <P>&nbsp;</P> <P>Greetings for the day!</P> <P>&nbsp;</P> <P>Yes, it is possible to run a task in a playbook that performs a custom query on a dataset and pulls that information into the alert context. This process is commonly referred to as Context Enrichment.</P> <P>&nbsp;</P> <P><STRONG>Guidelines for Achievement</STRONG></P> <P>&nbsp;</P> <P><STRONG>Execute the XQL Query:</STRONG><BR />Use the xdr-xql-generic-query command within a playbook task to run your custom XQL query. This command allows you to target specific datasets and retrieve the necessary information.</P> <P>&nbsp;</P> <P><STRONG>Pull Data into Context:</STRONG><BR />When a playbook task executes, its output is automatically stored in the Investigation Context. You can view these results in the War Room or the Context Data viewer within the incident workbench.</P> <P>&nbsp;</P> <P><STRONG>Map Data to Specific Fields:</STRONG></P> <P><STRONG>To Incident Context:</STRONG><BR />Use the Set script (e.g., !Set key="key_name" value="${XQL_Result_Path}") to assign specific values from the query result to a context key.<BR /><BR /></P> <P><STRONG>To Custom Incident Fields:</STRONG><BR />Use the setParentIncidentFields command to map data from the context into predefined custom incident fields.</P> <P>&nbsp;</P> <P><STRONG>To Alert Fields:</STRONG><BR />You can use the Set script or custom automation to populate alert-specific context data, which can then be used in subsequent tasks or for visualization in custom layouts.</P> <P>Important Considerations:<BR /><BR /></P> <P><STRONG>Performance:</STRONG><BR />Be cautious when retrieving large numbers of results. Repeatedly calling commands to process items one-by-one can cause severe latency. It is recommended to perform operations in bulk or single calls where possible.<BR /><BR /></P> <P><STRONG>Debugger Limitations:</STRONG><BR />Note that the Playbook Debugger may not always fully resolve incident-level context variables (such as parentIncidentFields) as accurately as a live execution environment.<BR /><BR /></P> <P><STRONG>Order of Operations:</STRONG><BR />Enrichment via playbooks happens after an alert has been ingested and an incident created. You cannot use this enriched data for initial Alert Exclusion rules, as exclusions are processed before playbooks are triggered.<BR /><BR /></P> <P>If you feel this has answered your query, please let us know by clicking like and on "<STRONG>mark this as a Solution</STRONG>".<BR /><BR /></P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> <P>&nbsp;</P> Wed, 24 Dec 2025 13:55:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/playbook-to-enrich-dataset-data-into-alert-context/m-p/1244567#M8928 susekar 2025-12-24T13:55:44Z