Configure the indicator extraction mode. Options are none (no extraction), inline, out-of-band, or use system default.
Indicator extraction supports the following modes:
None: Indicators are not extracted automatically. Use this option when you do not want to evaluate the indicators.
Inline: Indicators are extracted within the context that the indicator extraction runs (synchronously). The findings are added to the context data. For example, if you define indicator extraction for the phishing incident type as inline:
For incident creation, by default, the playbook you defined to run does not run until the indicators have been extracted.
For an on field change, extraction occurs before the next playbook tasks run. Use this option when you need to have the most robust information available per indicator.
Note
This configuration may delay playbook execution (incident creation). While indicator creation is asynchronous, indicator extraction and enrichment is run synchronously. Data is placed into the incident context and is available via the context for subsequent tasks
Out of band: Indicators are extracted in parallel (asynchronously) to other actions. The extracted data is available within the incident, but it is not available for immediate use in task inputs, or outputs, since the information is not available in real time.
For incident creation, out of band is used in rare cases where you do not need the indicators extracted for the playbook flow. You still want to extract them and save them in the system as indicators, so that they can be reviewed at a later stage for manual review. System performance may be better as the playbook flow does not stop to extract, but if the incident contains indicators that are needed or expected in the proceeding playbook execution flow, inline should be used, as it will not execute the playbook before all indicators are extracted from the incident.
Note
When using Out of band, the extracted indicators do not appear in the context. If you want the extracted indicators to appear select Inline.
Use system default: Indicators are extracted according to the following defaults:
Component
Description
Default
Incident creation
Sets the indicator extraction mode for incident creation. It extracts from all associated fields at the point of incident creation. You can change the value when editing an incident type, which overrides this system configuration for this incident type.
Inline
Incident field change
Sets the indicator extraction mode for incident field change. You can change the value when editing an incident type, which overrides this system configuration for this incident type.
Out of band
Tasks
Applies to the result of the task. You can change the value when editing a task, which overrides the system configuration for this task.
None
Manual
Applies to commands triggered from the CLI. You can change the value when using the indicator extraction parameter, which overrides the system configuration for this command.
Out of band