End-of-Life (EoL)

Auto Extract Indicators

auto extract, auto-extract
The Auto Extract feature extracts indicators and enriches their reputations using commands and scripts defined for the indicator type. You can automatically extract indicators in the following scenarios:
  • Incident creation
  • In a playbook task
  • Using the command line
By default, Auto Extract is enabled for incident creation and using the command line to help you get up and running as you set up your environment. As your system matures and you start ingesting more events and have more integrations configured, using Auto Extract can adversely affect system performance.
As a result, Cortex XSOAR recommends that you turn off Auto Extract using the server configurations for the different Auto Extract options and only turn it on for those specific scenarios where it is necessary.

Auto Extract Modes

Auto Extract supports the following modes:
  • None - Indicators are not automatically extracted. Use this option when you do not want to further evaluate the indicators.
  • Inline - Indicators are extracted and enriched within the context that Auto Extract runs, and the findings are added to the Context Data. For example, if you define Auto Extract for the Phishing incident type as inline, all of the indicators for incident classified as Phishing will be extracted and enriched before anything else happens. The playbook you defined to run by default will not run until the indicators have been fully processed. Use this option when you need to have the most robust information available per indicator. Unless otherwise configured in a system configuration, this is the default mode in which Auto Extract executes.
    This configuration may delay playbook execution (incident creation).
  • Out of band - Indicators are enriched in parallel (or asynchronously) to other actions. The enriched data is available within the incident, however, it is not available for immediate use in task inputs or outputs since the information is not available in real time.

Global Server Configurations for Auto Extract

You can control the default behavior for auto extract using the following server configurations:
Incident creation
: applies to incident creation generally. Default is inline. You can change the value when editing an incident type, which overrides the system configuration for this incident type.
: applies to the result of the task. Default is none. You can change the value when editing a task, which overrides the system configuration for this task.
: applies to commands triggered from the CLI. Default is Out of Band. You can change the value when using the
parameter, which overrides the system configuration for this parameter.
Each configuration can accept one of the following values:
  • 1 = None
  • 2 = Inline.
  • 3 = Out of Band

How to Define Auto Extract

Incident Types
To define auto extract for an incident type, do the following:
  1. Navigate to
    Settings > Advanced > Incident Types
  2. Select the incident you want to edit by clicking the checkbox and then clicking the
  3. In the auto extract drop down menu, select the mode you want to use.
    If you select
    Use system default
    , you use the values defined in the server configurations.
  4. Click
For an example on how to use Auto Extract, see Auto Extract Indicators from a Phishing Email.
Playbook Tasks
To define auto extract for a playbook task, do the following:
  1. Select the playbook you want to add auto extract, and click
  2. In the playbook, click a task to open the
    Edit Task
  3. Click the
  4. In the auto extract drop down menu, select the mode you want to use.
  5. Click
To define auto extract using the Cortex XSOAR CLI, use the
parameter with the script and the mode for which you are setting up auto-extract. For example,
!EmailReputation email=email@email.com auto-extract=inline
, filling in the script and mode you want to define.

Recommended For You