1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Manage Indicators
    6. Indicator Extraction
    7. Configure What Indicator Extraction Executes

    Configure What Indicator Extraction Executes

    Configure a command or script to run during indicator extraction in Cortex XSOAR. Reputation command, configure auto extract, configure auto-extract
    When indicator extraction is used, it extracts indicators defined in an indicator type, and enriches those indicators using its commands. For example, out-of-the-box, the URL indicator is enriched using the
    !url
     command. You can decide to further enrich IP indicators by using a script that calls multiple integrations, such as urlscan.io and URLhaus.
    By design, domains are extracted only from URLs and email addresses. Otherwise, the amount of incorrect extractions would be huge and every <text>.<text> would be considered as a domain indicator. So, for example, google.com will not be extracted, but https://google.com will.
    1. Navigate to
      Settings
      OBJECTS SETUP
      Indicators
      Types
      .
    2. Select the indicator type for which you want to configure the command or script and click
      Edit
      .
      For out-of-the-box indicators, the Name and Regex fields are disabled.
    3. Under
      Reputation command
      , enter the command to execute when auto extracting indicators of this type.
    4. Under
      Exclude these integrations for the reputation command
      , select which integrations should not be used when executing the reputation command.
    5. Under
      Reputation Script
      , select the script to run when enriching indicators of this indicator type. The scripts override the reputation command.
    6. Click
      Save
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo