09-02-2021 10:45 AM
Hello Team,
I have developed a playbook which extract indicators like IP,URL,Domain and Hash from Email body.
but in some cases extract indicators and other automation which are available in xsoar cannot extract domains.
can anyone suggest me how to extract domains from Email body.
09-02-2021 11:41 AM
Extracting domains is a difficult task. If you consider that a domain can almost be anything separated by a "." it gets very difficult to design a regular expression that can extract that without getting a lot of false positives.
Typically the way things are handled by XSOAR out of the box is that we first identify either email addresses (email@domain) or a URL (http://domain/otherstuff) and pull the domains out of those. If you are able to identify a regular expression that could effectively grab a domain out of a normal email without catching other stuff as well you can create a custom regex in the domain indicator type.
I'm not sure there's a great solution here I just wanted to help identify why it's a tricky problem!
I hope that helps!
09-02-2021 11:41 AM
Extracting domains is a difficult task. If you consider that a domain can almost be anything separated by a "." it gets very difficult to design a regular expression that can extract that without getting a lot of false positives.
Typically the way things are handled by XSOAR out of the box is that we first identify either email addresses (email@domain) or a URL (http://domain/otherstuff) and pull the domains out of those. If you are able to identify a regular expression that could effectively grab a domain out of a normal email without catching other stuff as well you can create a custom regex in the domain indicator type.
I'm not sure there's a great solution here I just wanted to help identify why it's a tricky problem!
I hope that helps!
03-14-2023 07:13 PM
Hi DougCouch,
I have face similar issues, I want to extract the indicator from PDF file. is it the same method that i can use to create the regex expression to extract domain that have - and also [.] ? is there any document or tutorial on that ?
03-16-2023 01:41 AM
Better open your own discussion than using answered discussion.Till then you can see this nice clip about indicators by palo alto https://www.youtube.com/watch?v=DVGWeYJMDQQ&t=375s 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
