Create Indicator Extraction Rules for an Incident Type - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Create indicator extraction rules for an incident type. Customize indicator extraction in Cortex XSOAR.

You can extract indicators from incident fields on creation of an incident and when a field changes. For example, you want to extract the IP address upon incident creation and again when the field changes.

indicator-extract-new.png

The indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type.

  1. Go to SettingsOBJECTS SETUPIncidentsTypes.

  2. (Content Pack installed incident types) Select the incident type checkbox to define the extraction rules and click Detach.

  3. Click Edit.

  4. From the Indicators Extraction Rules tab, in the On incident creation and the On field change fields, select the required indicator extraction mode.

    If you select Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear, select Inline.

  5. In the What to Extract section, if you want to extract all incident fields, select Extract all indicators from all fields.

  6. If you want to choose which indicators are extracted according to each field, select Extract specific indicators.

    You can search and filter the incident fields. For each field, use the dropdown menu to control the indicator types to extract:

    (Optional) You can select all indicators, set all indicators to none, or copy settings from an incident type by clicking gear-icon.png (to the right of the table’s column headers).

    Indicator type to extract

    Description

    None

    No indicators are extracted.

    All indicator types with regex

    Some indicator types are associated with a regex (such as IP), and some are not (such as Registry Key).

    Only indicators that are associated with a regex are extracted.

    Specific indicator types

    You can choose one or more indicator types based on regex. The system extracts values that match the regex from this incident field.

    Select the Use field value checkbox, to use any indicator based on the field value (not regex based). This creates an indicator out of the entire value of the field, regardless whether the indicator type has a configured regex. This can be used in cases such as extracting hostnames.

    extract-fig1.png

    Note the following:

    • It is recommended to turn off (none) incident extraction for the Labels incident field. When an incident JSON is received from an integration, the JSON members are mapped to incident fields (based on the mapping configuration). Every member in the JSON that was not mapped to a field, will be written to the Labels field. If the Labels field extracts indicators, it can expose unmapped or unknown data to external sources. You should only map the relevant data to fields and set their extraction settings.

    • If you want to extract attachments, select the attachment field and then select File as the indicator type to extract. The File extracts a hash (usually SHA-256), which can be viewed in the War Room. You may want to disable indicator extraction for attachments to reduce external API usage and protect restricted data (the hash) from being sent.

  7. Click Save.

  8. (Optional) If you want to configure what the indicator type executes, go to SettingsOBJECTS SETUPIndicatorsTypes and edit an indicator type.

    Add scripts and reputation commands as you require. When indicator extraction is used, it extracts indicators defined in an indicator type, and enriches those indicators using its commands. For example, the URL indicator is enriched using the !url command.

In this example, if an email is forwarded that potentially includes phishing, we want to extract at incident creation (inline) and upon a field change (out of band):

  • Email Body: Extract all indicators.

  • Email From: Extract Email only.

  • Email Subject: Extract all indicators.

  • Email To: Extract Email only.

extract-fig2.png