This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Playbook to enrich dataset data into alert context

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Playbook to enrich dataset data into alert context

PA_nts
L4 Transporter

‎12-10-2025 10:58 PM

Hi,

Is anyone able to guide me on how to achieve this perhaps?

I want to ran a task in a playbook that will do a custom query in a dataset and pull information and add it to the alert context data.. is this possible and if so guidelines would be appreciated. 

thanks in adv

0 Likes Likes
1 REPLY 1

susekar
L2 Linker

‎12-24-2025 05:55 AM

Hello @PA_nts 

 

Greetings for the day!

 

Yes, it is possible to run a task in a playbook that performs a custom query on a dataset and pulls that information into the alert context. This process is commonly referred to as Context Enrichment.

 

Guidelines for Achievement

 

Execute the XQL Query:
Use the xdr-xql-generic-query command within a playbook task to run your custom XQL query. This command allows you to target specific datasets and retrieve the necessary information.

 

Pull Data into Context:
When a playbook task executes, its output is automatically stored in the Investigation Context. You can view these results in the War Room or the Context Data viewer within the incident workbench.

 

Map Data to Specific Fields:

To Incident Context:
Use the Set script (e.g., !Set key="key_name" value="${XQL_Result_Path}") to assign specific values from the query result to a context key.

To Custom Incident Fields:
Use the setParentIncidentFields command to map data from the context into predefined custom incident fields.

 

To Alert Fields:
You can use the Set script or custom automation to populate alert-specific context data, which can then be used in subsequent tasks or for visualization in custom layouts.

Important Considerations:

Performance:
Be cautious when retrieving large numbers of results. Repeatedly calling commands to process items one-by-one can cause severe latency. It is recommended to perform operations in bulk or single calls where possible.

Debugger Limitations:
Note that the Playbook Debugger may not always fully resolve incident-level context variables (such as parentIncidentFields) as accurately as a live execution environment.

Order of Operations:
Enrichment via playbooks happens after an alert has been ingested and an incident created. You cannot use this enriched data for initial Alert Exclusion rules, as exclusions are processed before playbooks are triggered.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

 

0 Likes Likes
  • 238 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks