Extract indicators - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Extract indicators from Cortex XSIAM alert fields and enrich them with commands and scripts defined for the indicator type.

In Cortex XSIAM, the indicator extraction feature extracts indicators from alert fields and enriches them using commands and scripts defined for the indicator type. If indicator extraction is enabled, indicators are extracted according to the alert type. For more information about indicator extraction, see Extract and enrich an indicator.

How to set up indicator extraction in a playbook task
  1. Select the playbook where you want to add indicator extraction, and click Edit.

  2. In the playbook, click a task to open the task details pane.

  3. Click the Advanced tab.

  4. For Indicator Extraction mode, select the mode you want to use (default is inline).

  5. Click OK.

Example 30. 

The following scenario shows how indicator extraction is used in the Process Email - Generic v2 playbook to extract and enrich a very specific group of indicators.

This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the phishing attack and not the email that was forwarded to ensure that you only extract the email headers from the malicious email and not the one your organization uses to report phishing attacks.

  1. Navigate to the Playbooks page and search for the Process Email - Generic v2 playbook.

  2. Click either Duplicate Playbook or Detach Playbook.

  3. Open the Add original email details to context task, and for the Script drop down, change the script from Set to ParseEmailFilesV2.

    Under the Outputs tab, you can see all of the different data that the task extracts.

    xsiam-playbook-extract-indicators.png
  4. Click the Advanced tab and set Indicator Extraction mode to Inline. This ensures all the outputs are processed before the playbook moves ahead to the next task.

  5. Open the Display email information in layout - Email.Headers task. This task receives the data from the saved attachment tasks and sets the various data points to context.

  6. Click the Advanced tab and set Indicator Extraction mode to None , because the indicators were already extracted earlier in the Extract email artifacts and attachments task and there is no need to extract them again.


Indicator extraction modes

Indicator extraction supports the following modes:

  • None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.

  • Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction for the phishing alert type is inline:

    • For alert creation, the playbook you define to run by default does not run until the indicators have been extracted.

    • For an on-field change, extraction occurs before the next playbook tasks run. This option provides the most robust information available per indicator.

      Note

      This configuration may delay playbook execution (alert creation).

      While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the alert context and is available via the context for subsequent tasks.

  • Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the alert, however, it is not available for immediate use in task inputs or outputs because the information is not available in real-time.

    For alert creation, out of band is used in rare cases where you do not need the indicators extracted for the proceeding flow of the playbook. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop extracting, but if the alert contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the alert.

    Note

    When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.

  • Indicators are extracted according to the following rules:

    • Incident creation - inline

    • Incident field change - inline

    • Tasks - none, can be overridden on a per task basis

    • CLI - out of band, but can be overridden on a per-command basis

Troubleshoot indicator extraction

If indicators are not extracted, check whether the indicator mode is set to none. Even if you select the relevant alert fields and the indicators to extract, if the mode is set to none, indicators do not extract.