Disable Indicator Extraction for Automations or Integrations - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-02-07
End_of_Life
EoL
Category
Threat Intel Management Guide

This procedure describes how to disable indicator extraction for a specific automation or an integration.

  • Do one of the following:

    • To disable indicator extraction for an automation, add the IgnoreAutoExtract entry with the value of true, when returning an entry.

      For example:

      entry = {
      	'Type': entryTypes['note'],
      	'Contents': {
      	'Echo' : demisto.args()['echo']
      	    },
      	'ContentsFormat': formats['json'],
      	'ReadableContentsFormat': formats['markdown'],
      	'HumanReadable': hr,
      	'IgnoreAutoExtract' : True
         }
    • To disable indicator extraction for an integration, add the ‘IgnoreAutoExtract’ entry with the value of true, when returning an entry.

      For example in the ServiceNow integration:

      entry = {
              'Type': entryTypes['note'],
              'Contents': result,
              'ContentsFormat': formats['json'],
              'ReadableContentsFormat': formats['markdown'],
              'HumanReadable': tableToMarkdown('ServiceNow ticket', hr, headers=headers, removeNull=True),
              'EntryContext': {
                  'Ticket(val.ID===obj.ID)': context,
                  'ServiceNow.Ticket(val.ID===obj.ID)': context
              },
              'IgnoreAutoExtract': True
          }
          entries.append(entry)
          return entries

    For more information about command results in Python, see Python code conventions for CommandResults.