Extract Indicators Manually - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-02-14
Last date published
2024-06-20
Category
Administrator Guide
Solution
Cloud
Abstract

Run manual indicator extraction via the CLI.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries), extracts them and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.

You can set up indicator extraction automatically in an incident type or in a playbook. For more information, see Indicator Extraction. If indicator extraction is turned off, or you want to extract an indicator manually, you can do the following:

  • Run Indicator Extraction in the CLI

    Note

    Reputation commands, such as !ip and !domain, can only be used after you configure and enable a reputation integration instance, such as Virus Total and Whois.

  • Run indicator extraction in the Quick View Window

    If there is a enhancement script attached to the indicator type, in the Indicator Quick View window, you can run a script to extract an indicator. For example, the Domain indicator type uses the DomainReputation enhancement script. In an incident that contains a domain indicator type, click Quick View. In the Indicators tab, click DomainActionsDomainReputation.

    You can also run the script-based reputation command in the CLI.

    Note

    Running a script-based reputation command, like DomainReputation is different from running a non script-based reputation command. Script-based reputation commands are run based on the indicator type, but reputation commands, such as ip are run on a specific indicator.