Auto Extract Indicators

auto extract, auto-extract
The Auto Extract feature extracts indicators and enriches their reputations using commands and scripts defined for the indicator type. You can automatically extract indicators in the following scenarios:
  • When fetching incidents
  • In a playbook task
  • Using the command line
By default, Auto Extract is enabled to help you get up and running as you set up your environment. As your system matures and you start ingesting more events and have more integrations configured, using Auto Extract can adversely affect system performance.
As a result, Cortex XSOAR recommends that you turn off Auto Extract using the server configurations for the different Auto Extract options and only turn it on for those specific scenarios where it is necessary.

Auto Extract Modes

Auto Extract supports the following modes:
  • None - Indicators are not automatically extracted. Use this option when you do not want to further evaluate the indicators.
  • Inline - Indicators are extracted and enriched within the context that Auto Extract runs, and the findings are added to the Context Data. For example, if you define Auto Extract for the Phishing incident type as inline, all of the indicators for incident classified as Phishing will be extracted and enriched before anything else happens. The playbook you defined to run by default will not run until the indicators have been fully processed. Use this option when you need to have the most robust information available per indicator. Unless otherwise configured in a system configuration, this is the default mode in which Auto Extract executes.
    This configuration will slow down your system performance.
  • Out of band - Indicators are enriched in parallel (or asynchronously) to other actions. The enriched data is available within the incident, however, it is not available for immediate use in task inputs or outputs since the information is not available in real time.

Global Server Configurations for Auto Extract

You can control the default behavior for auto extract using the following server configurations:
Component
Key
Incident ingestion
reputation.calc.algorithm
Tasks
reputation.calc.algorithm.tasks
Manual
reputation.calc.algorithm.manual
Each configuration can accept one of the following values:
  • 1 = None
  • 2 = Inline. This is the default behavior
  • 3 = Out of Band

How to Define Auto Extract

Incident Types
To define auto extract for a default incident type, perform the following steps. The default auto extract value for incident types is inline.
  1. Navigate to
    Settings > Advanced > Incident Types
    .
  2. Select the incident you want to edit by clicking the checkbox and then clicking the
    Edit
    button.
  3. In the auto extract drop down menu, select the mode you want to use.
  4. Click
    Save
    .
Playbook Tasks
To define auto extract for a playbook task, perform the following steps. The default auto extract value for playbook tasks is none.
  1. In the playbook click, a task to open the Edit Task window.
  2. Click the
    Advanced
    tab.
  3. In the auto extract drop down menu, select the mode you want to use.
  4. Click
    OK
    .
Cortex XSOAR CLI
To define auto extract using the Cortex XSOAR CLI, use the command
auto-extract=
with the script and the mode for which you are setting up auto-extract. For example,
!EmailReputation email=email@email.com auto-extract=inline
, filling in the script and mode you want to define.

Recommended For You