Indicator extraction extracts indicators from Cortex XSIAM alert fields and enriches them with commands and scripts defined for the indicator type.
Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex), and creates indicators in Cortex XSIAM . After extraction, the indicator can be enriched.
Indicator enrichment takes the extracted indicator and provides detailed information about the indicator, based on enrichment feeds such as VirusTotal and IPinfo.
In Cortex XSIAM, the indicator extraction feature extracts indicators from War Room entries and enriches them using commands and scripts defined for the indicator type.
You can extract indicators in the following scenarios:
When fetching alerts
In a playbook task
Using the command line
Note
Reputation commands, such as !ip
and !domain
, can only be used after you configure and enable a reputation integration instance, such as VirusTotal and Whois.
Indicator extraction modes
You set the indicator extraction mode:
In a playbook task.
Running a command during an investigation.
Indicator extraction supports the following modes:
None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.
Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction mode for a task in a playbook is inline, the extraction and enrichment must complete before the next task begins. This option provides the most robust information available per indicator.
Note
The inline configuration may delay playbook execution.
Note
While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the alert context and is available via the context for subsequent tasks.
All indicators are automatically extracted and enriched before a playbook is run. For an on-field change, extraction occurs before the next playbook tasks run.
Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the alert, however, it is not available for immediate use in task inputs or outputs since the information is not available in real-time.
For alert creation, out of band is used in rare cases where you do not need the indicators extracted for the proceeding flow of the playbook. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better when using out of band mode, as the playbook flow does not stop for extraction. If the alert contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as inline will not execute the playbook before all indicators are extracted from the alert.
Note
When using out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select inline.
Indicators are extracted according to the following system defaults:
Alert creation - inline
Tasks - none, can be overridden on a per task basis
CLI - out of band, but can be overridden on a per-command basis
Troubleshoot indicator extraction
If indicators are not extracted, check whether the indicator mode is set to none, and verify the indicator is not in the Exclusion List, as is or as part of a regular expression (regex).