Create Indicator Extraction Rules for an Incident Type

Create indicator extraction rules for an incident type. Customize indicator extraction in Cortex XSOAR. Auto extract
You can extract indicators from incident fields on creation of an incident and when a field changes. For example, you want to extract the IP address upon incident creation and again when the field changes.
The indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type.
  1. Go to
  2. (
    Content Pack installed incident types
    ) Select the incident type checkbox to define the extraction rules and the click
  3. Click
  4. From the
    Indicators Extraction Rules
    tab, in the
    On incident creation
    and the
    On field change
    fields, select the required indicator extraction mode.
    If you select
    Out of band
    , the extracted indicators do not appear in the context. If you want the extracted indicators to appear, select
  5. In the
    What to Extract
    section, if you want to extract all incident fields, select
    Extract all indicators from all fields
  6. If you want to choose which indicators are extracted according to each field, select
    Extract specific indicators
    You can search and filter the incident fields. For each field, use the drop down menu to control the indicator types to extract:
    ) You can select all indicators, set all indicators to none, or copy settings from an incident type by clicking (to the right of the table’s column headers).
    Indicator type to extract
    No indicators are extracted.
    All indicator types with regex
    Some indicator types are associated with a regex (such as IP), and some are not (such as Registry Key).
    Only indicators that are associated with a regex are extracted.
    Specific indicator types
    You can choose one or more indicator types based on regex. The system extracts values that match the regex from this incident field.
    Select the
    Use field value
    checkbox, to use any indicator based on the field value (not regex based). This creates an indicator out of the entire value of the field, regardless whether the indicator type has a configured regex. This can be used in cases such as extracting hostnames.
    Note the following:
    • It is recommended to turn off (
      ) incident extraction for the
      incident field. When an incident JSON is received from an integration, the JSON members are mapped to incident fields (based on the mapping configuration). Every member in the JSON that was not mapped to a field, will be written to the
      field. If the
      field extracts indicators, it can expose unmapped or unknown data to external sources. You should only map the relevant data to fields and set their extraction settings.
    • If you want to extract attachments, select the
      field and then select
      as the indicator type to extract. The
      extracts a hash (usually SHA-256), which can be viewed in the War Room. You may want to disable indicator extraction for attachments to reduce external API usage and protect restricted data (the hash) from being sent.
  7. Click
In this example, if an email is forwarded that potentially includes phishing, we want to extract at incident creation (inline) and upon a field change (out of band):
  • Email Body
    : Extract all indicators.
  • Email From
    : Extract Email only.
  • Email Subject
    : Extract all indicators.
  • Email To
    : Extract Email only.

Recommended For You