Run manual indicator extraction via the CLI.
Indicator extraction identifies indicators from different text sources in the system (such as War Room entries), extracts them and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.
You can set up indicator extraction automatically in an incident type or in a playbook. For more information, see Indicator Extraction. If indicator extraction is turned off, or you want to extract an indicator manually, you can do the following:
Reputation commands, such as
!domaincan only be used when you configure and enable a reputation integration instance, such as Virus Total, Whois, etc.
Run indicator extraction in the Quick View Window
If there is a enhancement script attached to the indicator type, in the Indicator Quick View window, you can run a script to extract an indicator. For example, the Domain indicator type uses the enhancement script. In an incident that contains a domain indicator type, click Quick View. In the Indicators tab, click → → .
You can also run the script-based reputation command in the CLI.
Running a script-based reputation command, like
DomainReputationis different from running a non script-based reputation command. Script-based reputation commands are run based on the indicator type, but reputation commands, such as
ipare run on a specific indicator.