You can extract indicators from incident fields on creation of an incident and when a field changes. For example, you want to extract the IP address upon incident creation and again when the field changes.
The indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type.
Go to→ → → .
(Content Pack installed incident types) Select the incident type checkbox to define the extraction rules and click Detach.
From the Indicators Extraction Rules tab, in the On incident creation and the On field change fields, select the required indicator extraction mode.
If you select Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear, select Inline.
In the What to Extract section, if you want to extract all incident fields, select Extract all indicators from all fields.
If you want to choose which indicators are extracted according to each field, select Extract specific indicators.
You can search and filter the incident fields. For each field, use the dropdown menu to control the indicator types to extract:
(Optional) You can select all indicators, set all indicators to none, or copy settings from an incident type by clicking (to the right of the table’s column headers).
Indicator type to extract
No indicators are extracted.
All indicator types with regex
Some indicator types are associated with a regex (such as IP), and some are not (such as Registry Key).
Only indicators that are associated with a regex are extracted.
Specific indicator types
You can choose one or more indicator types based on regex. The system extracts values that match the regex from this incident field.
Select the Use field value checkbox, to use any indicator based on the field value (not regex based). This creates an indicator out of the entire value of the field, regardless whether the indicator type has a configured regex. This can be used in cases such as extracting hostnames.
Note the following:
It is recommended to turn off (none) incident extraction for the Labels incident field. When an incident JSON is received from an integration, the JSON members are mapped to incident fields (based on the mapping configuration). Every member in the JSON that was not mapped to a field, will be written to the Labels field. If the Labels field extracts indicators, it can expose unmapped or unknown data to external sources. You should only map the relevant data to fields and set their extraction settings.
If you want to extract attachments, select the attachment field and then select File as the indicator type to extract. The File extracts a hash (usually SHA-256), which can be viewed in the War Room. You may want to disable indicator extraction for attachments to reduce external API usage and protect restricted data (the hash) from being sent.
(Optional) If you want to configure what the indicator type executes, go to edit an indicator type.→ → → and
Add scripts and reputation commands as you require. When indicator extraction is used, it extracts indicators defined in an indicator type, and enriches those indicators using its commands. For example, the URL indicator is enriched using the
In this example, if an email is forwarded that potentially includes phishing, we want to extract at incident creation (inline) and upon a field change (out of band):
Email Body: Extract all indicators.
Email From: Extract Email only.
Email Subject: Extract all indicators.
Email To: Extract Email only.