All Emergency and Alert logs agent logs are automatically contexts. In addition, some protections systematically generate contexts during an attack. This is especially the case for process hollowing, execution flow hijacking and heap spraying, among others. Some protection rules are also configured by default to generate contexts when actions are blocked, or even during suspected attacks that are not severe enough to be blocked. For more information, see Managing vulnerability exploitation and Defining access control rules.
In the context details, the size, perimeter, type and frequency of reporting to the agent handler can be configured for each individual agent group. For further information, refer to the section Configuring context details generated by agents.
You can also define the level of context detail to be sent to the Syslog server. For further information, refer to the section Creating groups of agent handlers.