Indicator extraction - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Extract indicators from Cortex XSOAR incident fields and enrich them with commands and scripts defined for the indicator type.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries, email content, etc.), extracts them (usually based on regex) and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.

After indicators are extracted, they are enriched using commands and scripts defined for the indicator type. Indicator enrichment provides detailed information about the indicator, based on enrichment feeds such as VirusTotal and IPinfo.

Note

Reputation commands, such as !ip and !domain, can only be used after you configure and enable a reputation integration instance, such as Virus Total and Whois.

Some content packs include a dashboard and widget that track API rate limit errors. You can use this information for troubleshooting and to make decisions about indicator enrichment.

Indicator Extraction Methods

You can customize indicator extraction using the following methods:

  • Incident types

    You can extract indicators from incident fields when an incident is created and when an incident field changes. Indicator extraction rules for content pack incident types are determined by the content pack. For example, in a Phishing incident type, by default, in the Destination IP field, IPv6 and IP indicators are extracted. For the Detection URL field, the URL indicator field is extracted.

    If enabled, indicator extraction is automatic. For example, in a Phishing incident, indicator extraction is set to extract the IP indicator (in the incident type). When the incident field updates, the IP indicator field is extracted automatically. In the War Room, you can check that the IP indicator field has been extracted by typing 1.1.1.1. Cortex XSOAR recognizes the indicator as an IP indicator by matching it to the IP indicator’s regex. It then extracts and enriches the indicator using an integration that includes the IP command (such as IPinfo).

    Note

    To change the indicator extraction rules for an incident type installed with a content pack, including an incident type propagated to a tenant in a multi-tenant environment, you need to detach the incident type. Once detached, the incident type does not receive new content from Cortex XSOAR. If you want to receive content updates reattach the incident type. If you want to instead receive content updates and save the content, duplicate the incident type and edit the duplicate type. For more information, see Incident layout customization.

    Caution

    Extracting indicators can adversely affect system performance. We recommend that you define extraction settings for each incident type, as needed.

    For example, for Malware you may want to extract all IP addresses, for Phishing you may only want to extract IP addresses from specific email headers. For attachments, you may want to disable indicator extraction to reduce external API usage and protect restricted data (the hash) from being sent.

  • Playbook tasks. For more information, see Set the indicator extraction mode for a playbook task.

  • Commands: Run a command using the command line in Cortex XSOAR during an investigation. For more information, see Extract and enrich an indicator.

Indicator Extraction Mode Options

Indicator Extraction supports the following modes:

  • None

  • Inline

  • Out of band

  • Use system default

For detailed information about the modes and how to set them up, see Indicator extraction modes.

Indicator Scripts

When creating or editing an indicator type, you can add the following scripts:

During the indicator extraction and extraction flow, the order of execution is regex, formatting script, and reputation command, reputation script. Enhancement scripts are not part of the flow.

Indicators are identified using regex, and then the formatting script transforms the regex into a usable indicator for use in Cortex XSOAR in the War Room, reports, dashboards, etc. Reputation commands and scripts enable you to change the reputation of the indicator.

Enhancement scripts enable you to gather additional data about the highlighted entry in the War Room.

Indicator Extraction and Enrichment in the CLI

You can run commands in the CLI, such as !extractIndicators, !enrichindicators, !ip , !domain, and reputation script commands such as !1URLReputation, !IPReputation. For more information, see Extract and enrich an indicator.