Formatting scripts validate input and modify how indicators are displayed.
A formatting script has the following main functions:
Validate inputs, for example, to check that the top-level domain (TLD) is valid.
Modify how the indicator appears in Cortex XSIAM such as the War Room.
After indicator values are extracted according to the defined regex, the formatting script can be used to modify how the indicator value appears in the War Room and reports. For example, the IP indicator type uses the UnEscapeIPs
formatting script, which removes any defanged characters from an IP address, so 127[.]0[.]0[.]1
is formatted to 127.0.0.1
. When you click the IP address in the War Room, you see the formatted IP address. This extracted indicator value is then added to the Threat Intel database.
Out-of-the-box Formatting Scripts
You can create a new script, or you can use an out-of-the-box formatting script on the Scripts page, for example:
UnEscapeIPs:
Removes escaping characters from IP addresses. For example, 127[.]0[.]0[.]1 transforms to 127.0.0.1.ExtractDomainAndFQDNFromUrlAndEmail:
Extracts domains and FQDNs from URLs and emails, used by the Domain indicator. It removes prefixes such as proofpoint or safelinks, removes escaped URLs, and extracts the FQDN.ExtractEmailV2:
Verifies that an email address is valid and only returns the address if it is valid.