Create indicator extract rules for a playbook task - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Create indicator extraction rules for a playbook task in Cortex XSIAM. Auto extract for a playbook task. Edit task. Use case indicator extraction.

When using indicator extraction rules, indicators are extracted from tasks in playbooks.

The default indicator extraction value is inline.

You can use the following commands in a task:

  • extractIndicators

  • Reputation commands, such as !ip, !file, etc.

  • enrichIndicators

For more information, see Run Indicator Extraction in the CLI.

  1. Select the playbook where you want to add indicator extraction, and click Edit.

  2. In the playbook, click a task to open the Edit Task window.

  3. Click the Advanced tab.

  4. In the indicator extraction drop-down menu, select the mode you want to use.

  5. Click OK.

Extract indicators from a phishing email

The following scenario shows how indicator extraction is used in the Process Email - Generic v2 playbook to extract and enrich a very specific group of indicators.

This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the phishing attack and not the email that was forwarded to ensure that you only extract the email headers from the malicious email and not the one your organization uses to report phishing attacks.

  1. Navigate to the Playbooks page and search for the Process Email - Generic v2 playbook.

  2. Click either Duplicate Playbook or Detach Playbook.

  3. Open the Add original email details to context task, click Edit, and for the Choose script drop down, change the script from Set to ParseEmailFilesV2.

    Under the Outputs tab, you can see all of the different data that the task extracts.

    xsiam-playbook-extract-indicators.png
  4. Click the Advanced tab and set Indicator Extraction mode to Inline. This ensures all the outputs are processed before the playbook moves ahead to the next task.

  5. Open the Display email information in layout - Email.Headers task. This task receives the data from the saved attachment tasks and sets the various data points to context.

  6. Click the Advanced tab and set Indicator Extraction mode to None , because the indicators were already extracted earlier in the Extract email artifacts and attachments task and there is no need to extract them again.