Indicator extraction - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Indicator extraction extracts indicators from Cortex XSIAM alert fields and enriches them with commands and scripts defined for the indicator type.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex), and creates indicators in Cortex XSIAM . After extraction, the indicator can be enriched.

Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (from the open ports to WHOIS information). Enrichment provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.

In Cortex XSIAM, the indicator extraction feature extracts indicators from alert fields and enriches them using commands and scripts defined for the indicator type. Provided the indicator extraction is enabled, indicators are extracted according to the alert type.

You can extract indicators in the following scenarios:

  • When fetching alerts

  • In a playbook task

  • Using the command line

Create indicator extraction rules

Indicators are extracted on alert fields when an alert is created. For Content Pack installed alert types, the indicator extraction rules are set out-of-the-box. For example, in a phishing alert type, in the Destination IP field, IPv6 and IP indicators are extracted. For the Detection URL field, the URL indicator field is extracted, etc. Provided the indicator extractions settings are enabled and depending on the rules set in the alert type, indicator extraction is automatic. For example, in a phishing alert, indicator extraction is set to extract the IP indicator (in the alert type). When the alert field updates, the IP indicator field is extracted automatically. In the War Room, you can check that the IP indicator field has been extracted by typing XSIAM recognizes the indicator as an IP indicator by matching it to the IP indicator’s regex. It then extracts and enriches the indicator using an integration that uses the IP command (such as IPinfo).

You create indicator extraction rules:

Indicator extraction modes

Indicator extraction supports the following modes:

  • None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.

  • Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction for the phishing alert type is inline:

    • For alert creation, the playbook you defined to run by default does not run until the indicators have been extracted.

    • For an on-field change, extraction occurs before the next playbook tasks run. This option provides the most robust information available per indicator.


      This configuration may delay playbook execution (alert creation).


      While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the alert context and is available via the context for subsequent tasks.

  • Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the alert, however, it is not available for immediate use in task inputs or outputs since the information is not available in real-time.

    For alert creation, out-of-band is used in rare cases where you do not need the indicators extracted for the proceeding flow of the playbook. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop extracting, but if the alert contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the alert.


    When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.

  • Indicators are extracted according to the following rules:

    • Incident creation - inline

    • Incident field change - inline

    • Tasks - none, can be overridden on a per task basis

    • CLI - out of band, but can be overridden on a per-command basis

Troubleshoot indicator extraction

If indicators are not extracted, check whether the indicator mode is set to none. Even if you select the relevant alert fields and the indicators to extract, if the mode is set to none, indicators do not extract.