Configure a command or script to run during indicator
extraction in Cortex XSOAR. Reputation command, configure auto extract,
When indicator extraction is used, it extracts
indicators defined in an indicator type, and enriches those indicators
using its commands. For example, out-of-the-box, the URL indicator
is enriched using the
command. You can
decide to further enrich IP indicators by using a script that calls
multiple integrations, such as urlscan.io and URLhaus.
design, domains are extracted only from URLs and email addresses.
Otherwise, the amount of incorrect extractions would be huge and
every <text>.<text> would be considered as a domain indicator.
So, for example, google.com will not be extracted, but https://google.com
Select the indicator type for which you want to configure
the command or script and click
For out of the box indicators, the Name and Regex fields
the command to execute when auto extracting indicators of this type.
Exclude these integrations for the reputation
, select which integrations should not be used
when executing the reputation command.
the script to run when enriching indicators of this indicator type.
The scripts override the reputation command.