Indicator Extraction

Indicator extraction extracts indicators from XSOAR incident fields and enriches them with commands and scripts defined for the indicator extract, auto-extract
Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex) and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.
Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (from open ports to
information, etc). It provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.
In Cortex XSOAR, the indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type. Provided the indicator extraction is enabled, you can configure the extraction logic according to the incident type and according to the associated field.
You can extract indicators when fetching incidents, when incident fields are updated, and in playbook tasks. You can also use commands like
extractIndicators, enrichindicators, IP,
As your system matures and you start ingesting more events with more integrations configured, you need to consider customizing your incident type, including how to extract indicators.
Extracting indicators can adversely affect system performance. We recommend that you define extraction settings for each incident type, as needed.
For example, for Malware you may want to extract all IP addresses, for Phishing you may only want to extract IP addresses from specific email headers. For attachments, you may want to disable indicator extraction to reduce external API usage and protect restricted data (the hash) from being sent.

Create Indicator Extraction rules

You can create indicator extraction rules by using the following methods:
  • You can extract indicators from incident fields on creation of an incident and when a field changes. Indicator extraction rules are set out of the box for content pack installed incident types . For example, in a Phishing incident type, by default, in the Destination IP field, IPv6 and IP indicators are extracted. For the Detection URL field, the URL indicator field is extracted, etc.
    Provided the indicator extractions settings are enabled and depending on the rules set in the incident type, indicator extraction is automatic. For example, in a phishing incident, indicator extraction is set to extract the IP indicator (in the incident type). When the incident field updates, the IP indicator field is extracted automatically. In the War Room, you can check that the IP indicator field has been extracted by typing
    . Cortex XSOAR recognizes the indicator as an IP indicator by matching it to the IP indicator’s regex. It then extracts and enriches the indicator using an integration that uses the IP command (such as, AutoFocus, IPinfo etc).
    To edit content packs installed incident types including those propagated to a tenant or in a multi-tenant environment, you need to detach them. Once detached, the incident type does not receive new content from Cortex XSOAR. If you want to receive content updates reattach the incident type. If you want to receive content updates and save the content, duplicate the incident type. For more information, see customize incident layouts.
  • Commands: Run a command using the command line in Cortex XSOAR during an investigation.

Indicator Extraction Modes

Indicator extraction supports the following modes:
  • None
    : Indicators are not extracted automatically. Use this option when you do not want to evaluate the indicators.
  • Inline
    : Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if you define indicator extraction for the phishing incident type as inline:
    • For incident creation, by default, the playbook you defined to run , does not run until the indicators have been extracted.
    • For an on field change, extraction occurs before the next playbook tasks run. Use this option when you need to have the most robust information available per indicator.
      • This configuration may delay playbook execution (incident creation).
      • While indicator creation is asynchronous, indicator extraction and enrichment is run synchronously. Data is placed into the incident context and is available via the context for subsequent tasks.
  • Out of band
    : Indicators are extracted in parallel (asynchronously) to other actions. The extracted data is available within the incident, but it is not available for immediate use in task inputs, or outputs, since the information is not available in real time.
    For incident creation, out of band is used in rare cases where you do not need the indicators extracted for the playbook flow. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop to extract, but if the incident contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the incident.
    When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.
  • Use system default
    : Indicators are extracted according to the following server configurations (if you do not change them, default configurations apply):
    Incident creation
    : Sets the indicator extraction mode for incident creation. It extracts from all associated fields at the point of incident creation. You can change the value when editing an incident type, which overrides this system configuration for this incident type. If set to 1 (none), automatic indicator extraction is not available when manually adding notes to the War Room.
    Default is
    Type one of the following values:
    : none
    : inline
    : out of band
    Incident field change
    : Sets the indicator extraction mode for incident field change. You can change the value when editing an incident type, which overrides this system configuration for this incident type.
    Default is
    (out of band).
    : Applies to the result of the task. You can change the value when editing a task, which overrides the system configuration for this task.
    Default is
    : Applies to commands triggered from the CLI. You can change the value when using the auto-extract parameter, which overrides the system configuration for this command.
    Default is
    (out of band)

Upgrade Cortex XSOAR

When upgrading from version 6.0.x and below:
  • By default, all incident types (from a Content Pack) are detached.
  • Indicator extraction is enabled for all incident fields, but if you have already selected an extraction mode, this is not affected. For example, if it is set to “none” there will be no extraction on incident creation. It is recommended to review the incident types, and select the required extraction rules.
  • The Incident field change is set to none.

Troubleshoot Indicator Extraction

If indicators are not extracting, check whether the indicator mode is set to none. Even if you select the relevant incident fields and the indicators to extract, if the mode is set to none, indicators do not extract.
When creating new incident types, if you select
Extract all indicators from all fields
, all fields are extracted including the custom field. If you select
Extract specific indicators by default
, indicator extraction for the new custom field is set to none.
In a Multi-tenant environment, when installing a content pack in the Marketplace, the propagation labels enable the entire Content Pack to propagate to the tenant. For example, when installing the content pack (which includes an incident type) in the Marketplace, if the propagation label is set to all, it is propagated to the tenant. Even if you change the propagation label in the incident type, it has already been propagated.
The incident type labels can also propagate the incident type to additional tenants for which the content pack was not propagated.
If the incident type is not being updated in the tenant’s account, check whether the incident type is detached. If the tenant detaches the incident type, the changes are not updated from the Main Account.

Recommended For You