Create Indicator Extraction Rules for an Incident Type
Create indicator extraction rules for an incident type. Customize indicator extraction in Cortex XSOAR. Auto extract
You can extract indicators from incident fields on creation of an incident and when a field changes. For example, you want to extract the IP address upon incident creation and again when the field changes.
The indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type.
- Go to.SettingsAdvancedIncident Types
- (Content Pack installed incident types) Select the incident type checkbox to define the extraction rules and the clickDetach.
- From theIndicators Extraction Rulestab, in theOn incident creationand theOn field changefields, select the required indicator extraction mode.When usingOut of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear selectInline.
- In theWhat to Extractsection, if you want to extract all incident fields, selectExtract all indicators from all fields.
- If you want to choose which indicators are extracted according to each field, selectExtract specific indicators.You can search and filter the incident fields. For each field, use the drop down menu to control the indicator types to extract:(Optional) You can select all indicators, set all indicators to none, or copy settings from an incident type by clicking (to the right of the table’s column headers).Indicator type to extractDescriptionNoneNo indicators are extracted.All indicator types with regexSome indicator types are associated with a regex (such as IP), and some are not (such as Registry Key).Only indicators that are associated with a regex are extracted.Specific indicator typesYou can choose one or more indicator types based on regex. The system extracts values that match the regex from this incident field.Select theUse field valuecheckbox, to use any indicator based on the field value (not regex based). This creates an indicator out of the entire value of the field, regardless whether the indicator type has a configured regex. This can be used in cases such as extracting hostnames.Note the following:
- It is recommended to turn off (none) incident extraction for theLabelsincident field. When an incident JSON is received from an integration, the JSON members are mapped to incident fields (based on the mapping configuration). Every member in the JSON that was not mapped to a field, will be written to theLabelsfield. If theLabelsfield extracts indicators, it can expose unmapped or unknown data to external sources. You should only map the relevant data to fields and set their extraction settings.
- If you want to extract attachments, select theattachmentfield and then selectFileas the indicator type to extract. TheFileextracts a hash (usually SHA-256), which can be viewed in the War Room. You may want to disable indicator extraction for attachments to reduce external API usage and protect restricted data (the hash) from being sent.
In this example, if an email is forwarded that potentially includes phishing, we want to extract at incident creation (inline) and upon a field change (out of band):
- Email Body: Extract all indicators.
- Email From: Extract Email only.
- Email Subject: Extract all indicators.
- Email To: Extract Email only.
Recommended For You
Recommended videos not found.