Create Indicator Extract Rules for a Playbook Task

Create indicator extraction rules for a playbook task in Cortex XSOAR. Auto extract for a playbook task. Edit task. Use case indicator extraction.
When using indicator extraction rules, indicators are extracted from tasks in playbooks.
The default indicator extraction value depends on the playbook task. For example, the indicator extraction mode is set to none in the
Enrich offending user account
task (from the Impossible Traveler playbook). In the
Extract the email address of the reporting user
task (from the Phishing Generic V3 playbook) indicator extract is set to system default.
If you select system default in a task, the default is set to none. You can change the default by updating the
server configuration. For more information, see Indicator Extraction Modes.
You can use the following commands in a task:
  • extractIndicators
  • Reputation commands, such as
    , etc.
  • enrichIndicators
For more information, see Run Indicator Extraction in the CLI.
  1. If a content pack installed playbook, click either
    Duplicate Playbook
    Detach Playbook
  2. Select the playbook you want to extract indicators, and click
  3. In the playbook, click a task to extract indicators.
  4. Click the
  5. In the indicator extraction drop down menu, select the mode you want to use.
  6. Click

Extract Indicators from a Phishing Email

The following scenario shows how indicator extraction is used in the
Process Email - Generic
playbook to extract and enrich a very specific group of indicators.
This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the phishing attack and not the email that was forwarded to ensure that you only extract the email headers from the malicious email and not the one your organization uses to report phishing attacks.
  1. Go to the
    page and search for the
    Process Email - Generic
  2. Click either
    Duplicate Playbook
    Detach Playbook
  3. If you have already duplicated or detached the playbook, click
  4. Scroll down and open the
    Add original email details to context
  5. In the
    field, click
    and select
    In the
    tab you can see all of the different data that the task extracts, such as Email To, CC, From, etc.
  6. Go to the
    Indicator Extraction mode
    , ensure that the
    option is selected. This indicates that all of the outputs are processed before the playbook moves ahead to the next task.
  7. Open the
    Display email information in layout
    task. This task receives the data from the saved attachment tasks and sets the various data points to context.
    Under the
    tab, ensure that
    Indicator Extraction mode
    is set to
    , as the indicators have already been extracted earlier in the
    Extract email artifacts and attachments
    task and there is no need to do it again.

Recommended For You