Disable Indicator Extraction for Scripts or Integrations - Threat Intel Management Guide - Cortex XSIAM - Cortex - Security Operations

Threat intel management

Product
Cortex XSIAM
Creation date
2023-07-30
Last date published
2024-04-15
Category
Threat Intel Management Guide
Abstract

Disable indicator extraction for a specific script or integration in Cortex XSIAM.

This procedure describes how to disable indicator extraction for a specific script or an integration.

  • To disable indicator extraction for a script, add the IgnoreAutoExtract entry with the value of true, when returning an entry.

    For example:

    entry = {
    	'Type': entryTypes['note'],
    	'Contents': {
    	'Echo' : demisto.args()['echo']
    	    },
    	'ContentsFormat': formats['json'],
    	'ReadableContentsFormat': formats['markdown'],
    	'HumanReadable': hr,
    	'IgnoreAutoExtract' : True
       }
  • To disable indicator extraction for an integration, add the 'IgnoreAutoExtract' entry with the value of true, when returning an entry.

    For example in the ServiceNow integration:

    entry = {
            'Type': entryTypes['note'],
            'Contents': result,
            'ContentsFormat': formats['json'],
            'ReadableContentsFormat': formats['markdown'],
            'HumanReadable': tableToMarkdown('ServiceNow ticket', hr, headers=headers, removeNull=True),
            'EntryContext': {
                'Ticket(val.ID===obj.ID)': context,
                'ServiceNow.Ticket(val.ID===obj.ID)': context
            },
            'IgnoreAutoExtract': True
        }
        entries.append(entry)
        return entries

For more information about command results in Python, see Python code conventions for CommandResults.