Indicator Extraction Modes - Threat Intel Management Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Configure the indicator extraction mode. Options are none (no extraction), inline, out-of-band, or use system default.

Indicator extraction supports the following modes:

Mode

Description

None

Indicators are not extracted automatically. Use this option when you do not want to evaluate the indicators.

Inline

Indicators are extracted within the context that the indicator extraction runs (synchronously). The findings are added to the context data. For example, if you define indicator extraction for the phishing incident type as inline:

  • For incident creation, by default, the playbook you defined to run, does not run until the indicators have been extracted.

  • For an on field change, extraction occurs before the next playbook tasks run. Use this option when you need to have the most robust information available per indicator.

Note

This configuration may delay playbook execution (incident creation). While indicator creation is asynchronous, indicator extraction and enrichment is run synchronously. Data is placed into the incident context and is available via the context for subsequent tasks

Out of band

Indicators are extracted in parallel (asynchronously) to other actions. The extracted data is available within the incident, but it is not available for immediate use in task inputs, or outputs, since the information is not available in real time.

For incident creation, out of band is used in rare cases where you do not need the indicators extracted for the playbook flow. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop to extract, but if the incident contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the incident.

Note

When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.

Use system default

Indicators are extracted according to the following defaults:

  • Incident creation: Sets the indicator extraction mode for incident creation. It extracts from all associated fields at the point of incident creation. You can change the value when editing an incident type, which overrides this system configuration for this incident type. Default: Inline.

  • Incident field change: Sets the indicator extraction mode for incident field change. You can change the value when editing an incident type, which overrides this system configuration for this incident type. Default: Out of band.

  • Tasks: Applies to the result of the task. You can change the value when editing a task, which overrides the system configuration for this task. Default: None.

  • Manual: Applies to commands triggered from the CLI. You can change the value when using the indicator extraction parameter, which overrides the system configuration for this command. Default: Out of band.