Indicator extraction extracts indicators from Cortex XSIAM alert fields and enriches them with commands and scripts defined for the indicator type.
Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex), and creates indicators in Cortex XSIAM . After extraction, the indicator can be enriched.
Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (from the open ports to WHOIS information). Enrichment provides a story about the indicator, based on an enrichment feed such as VirusTotal, IPinfo, etc.
In Cortex XSIAM, the indicator extraction feature extracts indicators from alert fields and enriches them using commands and scripts defined for the indicator type. Provided the indicator extraction is enabled, indicators are extracted according to the alert type.
You can extract indicators in the following scenarios:
When fetching alerts
In a playbook task
Using the command line
Create indicator extraction rules
Indicators are extracted on alert fields when an alert is created. For Content Pack installed alert types, the indicator extraction rules are set out-of-the-box. For example, in a phishing alert type, in the Destination IP field, IPv6 and IP indicators are extracted. For the Detection URL field, the URL indicator field is extracted, etc. Provided the indicator extractions settings are enabled and depending on the rules set in the alert type, indicator extraction is automatic. For example, in a phishing alert, indicator extraction is set to extract the IP indicator (in the alert type). When the alert field updates, the IP indicator field is extracted automatically. In the War Room, you can check that the IP indicator field has been extracted by typing 1.1.1.1
.Cortex XSIAM recognizes the indicator as an IP indicator by matching it to the IP indicator’s regex. It then extracts and enriches the indicator using an integration that uses the IP command (such as IPinfo).
You create indicator extraction rules:
In a playbook task.
Running a command during an investigation.
Indicator extraction modes
Indicator extraction supports the following modes:
None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.
Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction for the phishing alert type is inline:
For alert creation, the playbook you defined to run by default does not run until the indicators have been extracted.
For an on-field change, extraction occurs before the next playbook tasks run. This option provides the most robust information available per indicator.
Note
This configuration may delay playbook execution (alert creation).
Note
While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the alert context and is available via the context for subsequent tasks.
Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the alert, however, it is not available for immediate use in task inputs or outputs since the information is not available in real-time.
For alert creation, out-of-band is used in rare cases where you do not need the indicators extracted for the proceeding flow of the playbook. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop extracting, but if the alert contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the alert.
Note
When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.
Indicators are extracted according to the following rules:
Incident creation - inline
Incident field change - inline
Tasks - none, can be overridden on a per task basis
CLI - out of band, but can be overridden on a per-command basis
Troubleshoot indicator extraction
If indicators are not extracted, check whether the indicator mode is set to none. Even if you select the relevant alert fields and the indicators to extract, if the mode is set to none, indicators do not extract.