04-10-2025 05:14 AM - edited 04-10-2025 05:19 AM
Hi All
very simple task running the 'set' script in a very basic playbook in xsiam
i am trying to pull the 'xsiam url link to the incident' from the incident context data ${parentIncidentFields.xdr_url} into a set task.. but it keeps showing as empty.
any idea how i can pull an incident field into the playbook task?
if i do ${alert.name} for example, it works fine but i cannot seem to pull anything from the incident context data, only the alert context data. is it even possible? should be. in my 'transformer and alerts' toolset, it works if i do a test run against an alert with ${parentIncidentFields.xdr_url} and it shows the desired URL. but soon as i run it from the playbook it just shows nothing.
to add: from the warroom inside an alert, it works if i do this command
!set key=xsiamurl value=${parentIncidentFields.xdr_url}
thanks in adv
04-14-2025 06:08 AM
do you try execute playbook task directly from alert in the incident or from the 'editor'?
Debug/edit can have error during returning values from the incident. But it should work when you directly run the playbook from the alert.
04-14-2025 08:14 AM
Hi Thanks..
yes managed to figure it out.. i think.
so when I use the debugger panel it does not seem to be able to pull the incident field data from the incident as I suspect it cannot link the incident to the alert.
then if i run the playbook in the alert's warroom then it works fine as expected..
so will make sure not to to rely on the debugger panel too much next time :- )
thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
