Configure What Indicator Extraction Executes

Configure a command or script to run during indicator extraction in Cortex XSOAR. Reputation command, configure auto extract, configure auto-extract
When indicator extraction is used, it extracts indicators defined in an indicator type, and enriches those indicators using its commands. For example, out-of-the-box, the URL indicator is enriched using the
!url
command. You can decide to further enrich IP indicators by using a script that calls multiple integrations, such as urlscan.io and URLhaus.
By design, domains are extracted only from URLs and email addresses. Otherwise, the amount of incorrect extractions would be huge and every <text>.<text> would be considered as a domain indicator. So, for example, google.com will not be extracted, but https://google.com will.
  1. Navigate to
    Settings
    Advanced
    Indicator Types
    .
  2. Select the indicator type for which you want to configure the command or script and click
    Edit
    .
    For out of the box indicators, the Name and Regex fields are disabled.
  3. Under
    Reputation command
    , enter the command to execute when auto extracting indicators of this type.
  4. Under
    Exclude these integrations for the reputation command
    , select which integrations should not be used when executing the reputation command.
  5. Under
    Reputation Script
    , select the script to run when enriching indicators of this indicator type. The scripts override the reputation command.
  6. Click
    Save
    .

Recommended For You