topic Re: Extract Incident context data using 'set' script in Cortex XSIAM Discussions

Extract Incident context data using 'set' script

PA_nts — Thu, 10 Apr 2025 12:19:55 GMT

Hi All

very simple task running the 'set' script in a very basic playbook in xsiam

i am trying to pull the 'xsiam url link to the incident' from the incident context data ${parentIncidentFields.xdr_url} into a set task.. but it keeps showing as empty.

any idea how i can pull an incident field into the playbook task?

if i do ${alert.name} for example, it works fine but i cannot seem to pull anything from the incident context data, only the alert context data. is it even possible? should be. in my 'transformer and alerts' toolset, it works if i do a test run against an alert with ${parentIncidentFields.xdr_url} and it shows the desired URL. but soon as i run it from the playbook it just shows nothing.

to add: from the warroom inside an alert, it works if i do this command

!set key=xsiamurl value=${parentIncidentFields.xdr_url}

thanks in adv

Re: Extract Incident context data using 'set' script

MDovirak — Mon, 14 Apr 2025 13:08:55 GMT

do you try execute playbook task directly from alert in the incident or from the 'editor'?
Debug/edit can have error during returning values from the incident. But it should work when you directly run the playbook from the alert.

Re: Extract Incident context data using 'set' script

PA_nts — Mon, 14 Apr 2025 15:14:08 GMT

Hi Thanks..

yes managed to figure it out.. i think.

so when I use the debugger panel it does not seem to be able to pull the incident field data from the incident as I suspect it cannot link the incident to the alert.

then if i run the playbook in the alert's warroom then it works fine as expected..

so will make sure not to to rely on the debugger panel too much next time :- )

thanks