End-of-Life (EoL)

Configure What Auto Extract Executes

configure auto extract, configure auto-extract
When Auto Extract is used, it extracts all indicators that match the regex defined in an indicator type, and enriches those indicators using its commands. For example, out-of-the-box, the URL indicator is enriched using the !url command. You can decide to further enrich IP indicators by using a script that calls multiple integrations, such as urlscan.io and URLhaus.
By design, domains are extracted only from URLs and email addresses. Otherwise, the amount of incorrect extractions would be huge and every <text>.<text> would be considered as a domain indicator. So, for example, google.com will not be extracted, but https://google.com will.
  1. Navigate to
    Indicator Types
  2. Select the indicator type for which you want to configure the command or script and click
    For out of the box indicators, the Name and Regex fields are disabled.
  3. Under
    Reputation command
    , enter the command to execute when auto extracting indicators of this type.
  4. Under
    Exclude these integrations for the reputation command
    , select which integrations should not be used when executing the reputation command.
  5. Under
    Reputation Script
    , select the script to run when enriching indicators of this indicator type. The scripts override the reputation command.
  6. Click

Recommended For You