Create Indicator Extract Rules for a Playbook Task - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-04-08
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create indicator extraction rules for a playbook task in Cortex XSOAR. Set extraction for a playbook task.

When using indicator extraction rules, indicators are extracted from tasks in playbooks.

The default indicator extraction value depends on the playbook task. For example, the indicator extraction mode is set to none in the Enrich offending user account task (from the Impossible Traveler playbook). In the Extract the email address of the reporting user task (from the Phishing Generic V3 playbook) indicator extract is set to system default.

Note

If you select system default in a task, the default is set to none. You can change the default by updating the reputation.calc.algorithm.tasks server configuration. For more information, see Indicator Extraction Modes.

You can use the following commands in a task:

  • extractIndicators

  • Reputation commands, such as !ip, !domain, etc.

    Note

    Reputation commands, such as !ip and !domain, can only be used after you configure and enable a reputation integration instance, such as Virus Total and Whois.

  • enrichIndicators

For more information, see Run Indicator Extraction in the CLI.

  1. If a content pack installed playbook, click either Duplicate Playbook or Detach Playbook.

  2. Select the playbook you want to extract indicators, and click Edit.

  3. In the playbook, click a task to extract indicators.

  4. Click the Advanced tab.

  5. In the indicator extraction dropdown menu, select the mode you want to use.

  6. Click OK.

Extract Indicators from a Phishing Email

The following scenario shows how indicator extraction is used in the Process Email - Generic playbook to extract and enrich a very specific group of indicators.

This playbook parses the headers in the original email used in a phishing attack. It is important to parse the original email used in the phishing attack and not the email that was forwarded to ensure that you only extract the email headers from the malicious email and not the one your organization uses to report phishing attacks.

  1. Go to the Playbooks page and search for the Process Email - Generic v2 playbook.

  2. Click either Duplicate Playbook or Detach Playbook.

  3. If you have already duplicated or detached the playbook, click Edit.

  4. Scroll down and open the Add original email details to context task.

  5. In the Automation field, click Set and select ParseEmailFilesV2.

    In the Outputs tab you can see all of the different data that the task extracts, such as Email To, CC, From, etc.

  6. Go to the Advanced tab.

    Under Indicator Extraction mode, ensure that the Inline option is selected. This indicates that all of the outputs are processed before the playbook moves ahead to the next task.

  7. Open the Display email information in layout task. This task receives the data from the saved attachment tasks and sets the various data points to context.

    Under the Advanced tab, ensure that Indicator Extraction mode is set to None, as the indicators have already been extracted earlier in the Extract email artifacts and attachments task and there is no need to do it again.