A formatting script enables you to modify how the indicator appears in Cortex XSOAR such as the War Room, Reports, etc. After indicators are extracted according to the regex, the script formats the regex so it can be used in Cortex XSOAR. For example the IP indicator uses the UnEscapeIPs formatting script which removes any escaped characters from an IP address such as 127[.]0[.]0[.]1 to 127.0.0.1. In the War Room, you can click on the IP address to view the extracted IP address. This extracted indicator using the formatting script is added to the Threat Intel database.
To apply a formatting script to an indicator type, navigate to → → → → . Select the indicator type, click Edit and select the desired formatting script from the drop-down list. Formatting scripts must have the indicator-format tag applied appear in the list.
In the page, there are a number of out-of-the box formatting scripts, such as UnEscapeIPs, ExtractDomainAndFQDNFromUrlAndEmail, ExtractEmailV2 etc.
The ExtractDomainAndFQDNFromUrlAndEmail script which is used by Domain, extracts domains and FQDN from URLs and emails. It removes prefixes such as proofpoint or safelinks, removes escaped URLs, and extracts the FQDN, etc.
Note
Formatting scripts for out-of-the-box indicator types are system level. This means that the formatting scripts for these indicator types are not configurable. To create a formatting script for an out-of-the-box indicator type, you need to disable the existing indicator type and create a new (custom) indicator type. If you configured a formatting script before this change and updated your content, this configuration will revert to content settings (empty).
Formatting Script Inputs
The formatting script requires the indicator value as the input argument. The input argument should be an array to accept multiple inputs and return an entry-result per input. The entry result per input can be a JSON array to create multiple indicators. If the entry result is an empty string, it is ignored and no indicator is created.
For example, the IP indicator type by default uses the UnEscapeIPs formatting script. The formatting script uses un-escaped IP addresses as an input.
In the ExtractEmailV2 the input is the email, which is used in the Email indicator type. The ExtactAttackPattern script requires a comma-separated list of Attack Pattern IDs, which is used in the Attack Pattern indicator type.
name: UnEscapeIPs
script: |
function format_ip(ip) {
return ip.replace(/\[\.\]/g,'.');
} function format_ip_list(ip_list) {
var len = ip_list.length;
var formatted_ips = new Array(len);
ip_list.forEach(function(the_ip, index) {
formatted_ips[index] = format_ip(the_ip.trim());
});
return formatted_ips;
}
var ips;
// It is assumed that args.input is a string
var unformatted_ips = argToList(args.input);
ips = format_ip_list(unformatted_ips);
return ips;In the ExtractEmailV2 the input is the email, which is used in the Email indicator type. The ExtactAttackPattern script requires a comma-separated list of Attack Pattern IDs, which is used in the Attack Pattern indicator type.
Formatting Script Outputs
The indicators appear as a human readable format in Cortex XSOAR.