Need help on extract indicators from Email body

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Need help on extract indicators from Email body

L0 Member

Hello Team,

 

I have developed a playbook which extract indicators like IP,URL,Domain and Hash from Email body.

but in some cases extract indicators and other automation which are available in xsoar cannot extract domains.

can anyone suggest me how to extract domains from Email body.

 

Priyash A. Mali
1 accepted solution

Accepted Solutions

L2 Linker

Extracting domains is a difficult task.  If you consider that a domain can almost be anything separated by a "." it gets very difficult to design a regular expression that can extract that without getting a lot of false positives.

 

Typically the way things are handled by XSOAR out of the box is that we first identify either email addresses (email@domain) or a URL (http://domain/otherstuff) and pull the domains out of those.  If you are able to identify a regular expression that could effectively grab a domain out of a normal email without catching other stuff as well you can create a custom regex in the domain indicator type.  

I'm not sure there's a great solution here I just wanted to help identify why it's a tricky problem!

I hope that helps!

Doug Couch  |  XSOAR Customer Success Engineer - Manager
Palo Alto Networks  |  3000 Tannery Way  |  Santa Clara, CA 95054  

View solution in original post

3 REPLIES 3

L2 Linker

Extracting domains is a difficult task.  If you consider that a domain can almost be anything separated by a "." it gets very difficult to design a regular expression that can extract that without getting a lot of false positives.

 

Typically the way things are handled by XSOAR out of the box is that we first identify either email addresses (email@domain) or a URL (http://domain/otherstuff) and pull the domains out of those.  If you are able to identify a regular expression that could effectively grab a domain out of a normal email without catching other stuff as well you can create a custom regex in the domain indicator type.  

I'm not sure there's a great solution here I just wanted to help identify why it's a tricky problem!

I hope that helps!

Doug Couch  |  XSOAR Customer Success Engineer - Manager
Palo Alto Networks  |  3000 Tannery Way  |  Santa Clara, CA 95054  

Hi DougCouch, 

 

I have face similar issues, I want to extract the indicator from PDF file. is it the same method that i can use to create the regex expression to extract domain that have - and also [.] ? is there any document or tutorial on that ?

Better open your own discussion than using answered discussion.Till then you can see this nice clip about indicators by palo alto https://www.youtube.com/watch?v=DVGWeYJMDQQ&t=375s 😉

  • 1 accepted solution
  • 3084 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!