Extract and enrich an indicator - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-15
Category
Administrator Guide
Abstract

How to extract and enrich an indicator in Cortex XSIAM.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries), extracts them, and creates indicators in Cortex XSIAM. After extraction, the indicators are enriched.

Indicator enrichment takes the extracted indicator and provides detailed information about the indicator (WHOIS information for example), using third-party integrations such as VirusTotal and IPinfo.

If you want to extract an indicator manually, you can do the following:

  • Run indicator extraction in the CLI by running one of the following commands:

    Command

    Description

    extractIndicators

    If you want to extract indicators from non-War-Room-entry sources (such as extracting from files), use the !extractIndicators command from the CLI. Use the command to do the following:

    • Validate regex: Test a specific string to see if the relevant indicators are extracted correctly, such as a URL.

    • In a playbook or script. The command extracts indicators in a playbook or a script (non War Room source), and also creates and enriches them.

    You can extract the following:

    • A specified entry (an entry ID)

    • Investigation (Investigation ID)

    • Text

    • File path

    For example, type !extractIndicators text="some text 1.1.1.1 something" auto-extract=inline. The entry text contains the text of the indicators, which is extracted and enriched.

    You can also extract indicators by adding the auto-extract parameter with the script and the mode for which you are setting it up. For example: !ReadFile entryId=826@101 auto-extract=inline.

    Usually, when using the CLI, you want to disable indicator extraction. For example, if you return internal/private data to the War Room, and you do not want it to be extracted and enriched in third-party services, add auto-extract=none to your CLI command.

    enrichIndicators

    The enrichIndicators command is usually used when you want to batch enrich indicators. This command works on existing indicators only (it does not create them on its own). When running the command, the relevant enrichment command is triggered (such as !ip), which is based on the indicator type that is found. The data is saved to context and the indicator.

    Note

    Triggering enrichment on a substantial number of indicators can take time (because it's activating all enrichment integrations per indicator) and can result in performance degradation.

    Reputation commands

    Reputation commands such as !ip, can be run for new indicators and indicators already in the system. If extraction is on, the data is saved both to the indicator and the incident's context. If not, then the data is saved only to the context because the mapping flow is always triggered in enrichment commands. The default configuration is set to none in playbook tasks for extraction.

    Note

    Reputation commands, such as !ip, !domain can only be used when you configure and enable a reputation integration instance, such as VirusTotal and WHOIS.

  • Use the Enrich indicator button in the indicator layout. This is the same effect as running a reputation command.

  • Run indicator enrichment in the Quick View window

    If there is an enhancement script attached to the indicator type, in the indicator Quick View window, you can run a script to enrich an indicator. For example, the Domain indicator type uses the DomainReputation enhancement script. In an incident that contains a domain indicator type, click Quick View. In the Indicators tab, click DomainActionsDomainReputation.

    You can also run the enhancement script in the CLI.