Configure the indicator extraction mode. Options are none (no extraction), inline, out-of-band, or use system default.
Indicator extraction supports the following modes:
Mode | Description |
---|---|
None | Indicators are not extracted automatically. Use this option when you do not want to evaluate the indicators. |
Inline | Indicators are extracted within the context that the indicator extraction runs (synchronously). The findings are added to the context data. For example, if you define indicator extraction for the phishing incident type as inline:
NoteThis configuration may delay playbook execution (incident creation). While indicator creation is asynchronous, indicator extraction and enrichment is run synchronously. Data is placed into the incident context and is available via the context for subsequent tasks |
Out of band | Indicators are extracted in parallel (asynchronously) to other actions. The extracted data is available within the incident, but it is not available for immediate use in task inputs, or outputs, since the information is not available in real time. For incident creation, out of band is used in rare cases where you do not need the indicators extracted for the playbook flow. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop to extract, but if the incident contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the incident. NoteWhen using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline. |
Use system default | Indicators are extracted according to the following defaults:
|