Run manual indicator extraction via the CLI.
Indicator extraction identifies indicators from different text sources in the system (such as War Room entries), extracts them and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.
You can set up indicator extraction automatically in an incident type or in a playbook. For more information, see Indicator Extraction. If indicator extraction is turned off, or you want to extract an indicator manually, you can do the following:
Run Indicator Extraction in the CLI
Note
Reputation commands, such as
!ip
and!domain
, can only be used after you configure and enable a reputation integration instance, such as Virus Total and Whois.Run indicator extraction in the Quick View Window
If there is a enhancement script attached to the indicator type, in the Indicator Quick View window, you can run a script to extract an indicator. For example, the Domain indicator type uses the enhancement script. In an incident that contains a domain indicator type, click Quick View. In the Indicators tab, click → → .
You can also run the script-based reputation command in the CLI.
Note
Running a script-based reputation command, like
DomainReputation
is different from running a non script-based reputation command. Script-based reputation commands are run based on the indicator type, but reputation commands, such asip
are run on a specific indicator.