Extract indicators from Cortex Cloud issue fields and enrich them with commands and scripts.
In Cortex Cloud, the indicator extraction feature extracts indicators from issue fields and enriches them using commands and scripts.
Select the playbook where you want to add indicator extraction, and click Edit.
In the playbook, click a task to open the Task Details pane.
Click the Advanced tab.
For Indicator Extraction mode, select the mode you want to use (default is none).
Click OK.
Indicator extraction modes
Indicator extraction supports the following modes:
None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.
Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction for a playbook task is inline, extraction occurs before the next playbook tasks run.
Note
This configuration may delay playbook execution (issue creation).
While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the issue context and is available via the context for subsequent tasks.
Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the issue, however, it is not available for immediate use in task inputs or outputs because the information is not available in real-time.
Note
When using out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select inline.
Troubleshoot indicator extraction
If indicators are not extracted, check whether the indicator mode is set to none. Even if you select the relevant issue fields and the indicators to extract, if the mode is set to none, indicators do not extract.