Troubleshoot indicator extraction - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-12
Category
Administrator Guide
Solution
Cloud

If indicators are not extracting, check whether the indicator mode is set to none. Even if you select the relevant incident fields and the indicators to extract, if the mode is set to none, indicators do not extract.

When creating new incident types, if you select Extract all indicators from all fields, all fields are extracted including custom fields. If you select Extract specific indicators by default, indicator extraction for new custom fields is set to none.

In a multi-tenant environment, when installing a content pack in Marketplace, the propagation labels enable the entire content pack to propagate to the tenant. For example, when installing the content pack (which includes an incident type) in the Marketplace, if the propagation label is set to all, it is propagated to the tenant. Even if you change the propagation label in the incident type, it has already been propagated.

The incident type labels can also propagate the incident type to additional tenants for which the content pack was not propagated. If the incident type is not being updated in the tenant’s account, check whether the incident type is detached. If the tenant detaches the incident type, the changes are not updated from the Main Account.