Indicator extraction - Administrator Guide - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Indicator extraction extracts indicators from Cortex XSIAM alert fields and enriches them with commands and scripts defined for the indicator type.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc), extracts them (usually based on regex), and creates indicators in Cortex XSIAM . After extraction, the indicator can be enriched.

Indicator enrichment takes the extracted indicator and provides detailed information about the indicator, based on enrichment feeds such as VirusTotal and IPinfo.

In Cortex XSIAM, the indicator extraction feature extracts indicators from War Room entries and enriches them using commands and scripts defined for the indicator type.

You can extract indicators in the following scenarios:

  • When fetching alerts

  • In a playbook task

  • Using the command line


Reputation commands, such as !ip and !domain, can only be used after you configure and enable a reputation integration instance, such as VirusTotal and Whois.

Indicator extraction modes

You set the indicator extraction mode:

  • In a playbook task.Create indicator extract rules for a playbook task

  • Running a command during an investigation.Run Indicator Extraction in the CLI

Indicator extraction supports the following modes:

  • None: Indicators are not extracted automatically. Use this option when you do not want to further evaluate the indicators.

  • Inline: Indicators are extracted within the context that indicator extraction runs (synchronously). The findings are added to the context data. For example, if indicator extraction mode for a task in a playbook is inline, the extraction and enrichment must complete before the next task begins. This option provides the most robust information available per indicator.

    • Note

      The inline configuration may delay playbook execution.


      While indicator creation is asynchronous, indicator extraction and enrichment are run synchronously. Data is placed into the alert context and is available via the context for subsequent tasks.

      All indicators are automatically extracted and enriched before a playbook is run. For an on-field change, extraction occurs before the next playbook tasks run.

  • Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data will be available within the alert, however, it is not available for immediate use in task inputs or outputs since the information is not available in real-time.

    For alert creation, out of band is used in rare cases where you do not need the indicators extracted for the proceeding flow of the playbook. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better when using out of band mode, as the playbook flow does not stop for extraction. If the alert contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as inline will not execute the playbook before all indicators are extracted from the alert.


    When using out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select inline.

  • Indicators are extracted according to the following system defaults:

    • Alert creation - inline

    • Tasks - none, can be overridden on a per task basis

    • CLI - out of band, but can be overridden on a per-command basis

Troubleshoot indicator extraction

If indicators are not extracted, check whether the indicator mode is set to none, and verify the indicator is not in the Exclusion List, as is or as part of a regular expression (regex).