When Auto Extract is used, it extracts all
indicators that match the regex defined in an indicator type, and
enriches those indicators using its commands. For example, out-of-the-box,
the URL indicator is enriched using the !url command. You can decide
to further enrich IP indicators by using a script that calls multiple
integrations, such as urlscan.io and URLhaus.
domains are extracted only from URLs and email addresses. Otherwise,
the amount of incorrect extractions would be huge and every <text>.<text>
would be considered as a domain indicator. So, for example, google.com
will not be extracted, but https://google.com will.
Select the indicator type for which you want to configure
the command or script and click
For out of the box indicators, the Name and Regex fields
the command to execute when auto extracting indicators of this type.
Exclude these integrations for the reputation
, select which integrations should not be used
when executing the reputation command.
the script to run when enriching indicators of this indicator type.
The scripts override the reputation command.