Extract Indicators Manually - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Run manual indicator extraction via the CLI.

Indicator extraction identifies indicators from different text sources in the system (such as War Room entries), extracts them and creates indicators in Cortex XSOAR. After extraction, the indicator can be enriched.

You can set up indicator extraction automatically in an incident type or in a playbook. For more information, see Indicator Extraction. If indicator extraction is turned off, or you want to extract an indicator manually, you can do the following:

  • Run Indicator Extraction in the CLI


    Reputation commands, such as !ip, !domain can only be used when you configure and enable a reputation integration instance, such as Virus Total, Whois, etc.

  • Run indicator extraction in the Quick View Window

    If there is a enhancement script attached to the indicator type, in the Indicator Quick View window, you can run a script to extract an indicator. For example, the Domain indicator type uses the DomainReputation enhancement script. In an incident that contains a domain indicator type, click Quick View. In the Indicators tab, click DomainActionsDomainReputation.

    You can also run the script-based reputation command in the CLI.


    Running a script-based reputation command, like DomainReputation is different from running a non script-based reputation command. Script-based reputation commands are run based on the indicator type, but reputation commands, such as ip are run on a specific indicator.