End-of-Life (EoL)

Auto Extract Indicators

auto extract, auto-extract
Auto extract identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex) and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.
Enrichment takes the extracted indicator and provides detailed information about the indicator (from the open ports to
information). It provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.
In Cortex XSOAR, the Auto Extract feature extracts indicators and enriches their reputations using commands and scripts defined for the indicator type. Provided Auto Extract is enabled, you can configure the extraction logic according to the incident type and according to the associated field.
You can automatically extract indicators in the following scenarios:
  • When fetching incidents
  • In a playbook task
  • Using the command line
By default, Auto Extract is enabled to help you get up and running as you set up your environment. As your system matures and you start ingesting more events and have more integrations configured, using Auto Extract can adversely affect system performance.
As a result, Cortex XSOAR recommends that you turn off Auto Extract using the server configurations for the different Auto Extract options and only turn it on for those specific scenarios where it is necessary.

Auto Extract Modes

Auto Extract supports the following modes:
  • None - Indicators are not automatically extracted. Use this option when you do not want to further evaluate the indicators.
  • Inline - Indicators are extracted and enriched within the context that Auto Extract runs, and the findings are added to the Context Data. For example, if you define Auto Extract for the Phishing incident type as inline, all of the indicators for incident classified as Phishing will be extracted and enriched before anything else happens. The playbook you defined to run by default will not run until the indicators have been fully processed. Use this option when you need to have the most robust information available per indicator. Unless otherwise configured in a system configuration, this is the default mode in which Auto Extract executes.
    This configuration will slow down your system performance.
  • Out of band - Indicators are enriched in parallel (or asynchronously) to other actions. The enriched data is available within the incident, however, it is not available for immediate use in task inputs or outputs since the information is not available in real time.
    When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.

Global Server Configurations for Auto Extract

You can control the default behavior for auto extract using the following server configurations:
Incident ingestion
Each configuration can accept one of the following values:
  • 1 = None
  • 2 = Inline. This is the default behavior
  • 3 = Out of Band

How to Define Auto Extract

Incident Types
To define auto extract for a default incident type, perform the following steps. The default auto extract value for incident types is inline.
  1. Navigate to
    Settings > Advanced > Incident Types
  2. Select the incident you want to edit by clicking the checkbox and then clicking the
  3. In the auto extract drop down menu, select the mode you want to use.
  4. Click
Playbook Tasks
To define auto extract for a playbook task, perform the following steps. The default auto extract value for playbook tasks is none.
  1. In the playbook click, a task to open the Edit Task window.
  2. Click the
  3. In the auto extract drop down menu, select the mode you want to use.
  4. Click
To define auto extract using the Cortex XSOAR CLI, use the command
with the script and the mode for which you are setting up auto-extract. For example,
!EmailReputation email=email@email.com auto-extract=inline
, filling in the script and mode you want to define.

Recommended For You