1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Threat Intel Management Guide
    5. Manage Indicators
    6. Indicator Extraction
    7. Create Indicator Extract Rules for a Playbook Task
    End-of-Life (EoL)

    Create Indicator Extract Rules for a Playbook Task

    Create indicator extraction rules for a playbook task in Cortex XSOAR. Auto extract for a playbook task. Edit task.
    When using indicator extraction rules, indicators are extracted from tasks in playbooks.
    The default indicator extraction value is Inline.
    You can use the following commands:
    • extractIndicators
    • Relevant reputation commands, such as
      !ip
      ,
      !file
      , etc.
    • enrichIndicators
    For more information, see Run Indicator Extraction in the CLI
    1. Select the playbook you want to add indicator extraction, and click
      Edit
      .
    2. In the playbook, click a task to open the Edit Task window.
    3. Click the
      Advanced
       tab.
    4. In the indicator extraction drop down menu, select the mode you want to use.
    5. Click
      OK
      .

    Extract Indicators from a Phishing Email

    The following scenario shows how indicator extraction is used in the
    Process Email - Generic
     playbook to extract and enrich a very specific group of indicators.
    This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the phishing attack and not the email that was forwarded to ensure that you only extract the email headers from the malicious email and not the one your organization uses to report phishing attacks.
    1. Navigate to the
      Playbooks
       page and search for the
      Process Email - Generic
       playbook.
    2. Open the
      Add original email details to context
       task, click
      Set
       and select
      ParseEmailFiles
      .
      Under the
      Outputs
       tab you can see all of the different data that the task extracts.
    3. Navigate to the
      Advanced
       tab.
      Under
      Auto extract indicators
      , ensure that the
      Inline
       option is selected. This indicates that all of the outputs will be processed before the playbook moves ahead to the next task.
    4. Open the
      Display email information in layout
       task. This task receives the data from the saved attachment tasks and sets the various data points to context.
      Under the
      Advanced
       tab, ensure that
      Auto extract indicators
       is set to
      None
       because the indicators have already been extracted earlier in the
      Extract email artifacts and attachments
       task and there is no need to do it again.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo