topic Re: Need help on extract indicators from Email body in Cortex XSOAR Discussions

Need help on extract indicators from Email body

Priyash7 — Thu, 02 Sep 2021 17:45:36 GMT

Hello Team,

I have developed a playbook which extract indicators like IP,URL,Domain and Hash from Email body.

but in some cases extract indicators and other automation which are available in xsoar cannot extract domains.

can anyone suggest me how to extract domains from Email body.

Re: Need help on extract indicators from Email body

DougCouch — Thu, 02 Sep 2021 18:41:28 GMT

Extracting domains is a difficult task. If you consider that a domain can almost be anything separated by a "." it gets very difficult to design a regular expression that can extract that without getting a lot of false positives.

Typically the way things are handled by XSOAR out of the box is that we first identify either email addresses (email@domain) or a URL (http://domain/otherstuff) and pull the domains out of those. If you are able to identify a regular expression that could effectively grab a domain out of a normal email without catching other stuff as well you can create a custom regex in the domain indicator type.

I'm not sure there's a great solution here I just wanted to help identify why it's a tricky problem!

I hope that helps!

Re: Need help on extract indicators from Email body

slabu — Wed, 15 Mar 2023 02:13:36 GMT

Hi DougCouch,

I have face similar issues, I want to extract the indicator from PDF file. is it the same method that i can use to create the regex expression to extract domain that have - and also [.] ? is there any document or tutorial on that ?

Re: Need help on extract indicators from Email body

nikoolayy1 — Thu, 16 Mar 2023 08:41:03 GMT

Better open your own discussion than using answered discussion.Till then you can see this nice clip about indicators by palo alto https://www.youtube.com/watch?v=DVGWeYJMDQQ&t=375s 😉