Create Indicator Extract Rules for a Playbook Task

Create indicator extraction rules for a playbook task in Cortex XSOAR. Auto extract for a playbook task. Edit task.
When using indicator extraction rules, indicators are extracted from tasks in playbooks.
The default indicator extraction value is Inline.
You can use the following commands:
  • extractIndicators
  • Relevant reputation commands, such as
    , etc.
  • enrichIndicators
For more information, see Run Indicator Extraction in the CLI
  1. Select the playbook you want to add indicator extraction, and click
  2. In the playbook, click a task to open the Edit Task window.
  3. Click the
  4. In the indicator extraction drop down menu, select the mode you want to use.
  5. Click
    For an example on how to use indicator extraction, see Extract Indicators from a Phishing Email.

Recommended For You