Feature Request : ExtractIT


Can I suggest a feature request for extract it
The ability to extract CVEs

Use Case:
I have an email subscription to US-Cert, within this email are multiple CVEs I’d like to extract from the body of the email
Once extracted I can then use other methods to lookup the CVEs against InsightVM

1 Like

I love this idea - expanding extract-it to handle a broader set of data makes sense. What do you think of also implementing a deduplicate function in extractit?

1 Like

I like the idea of a deduplicate, would it be a checkbox on/off…?
For example I’ll use the use case above, if there were multiple same CVEs in an email, the ability to extract the cves as a whole(with duplicates) or extract with the deduplicate on…

Also I’ll add Ive found it difficult to extract any data from an email body… So the ability to extract maybe based on regex?

Have you looked at the pattern match step? It’s designed to extract data based on regex. Developing and Debugging Regex for the Pattern Match Step

I used pattern matching, doesnt say anything about extracting does it?

The output of pattern matching is

  • boolean
    {{[“CVEs”].[$matched]}} - True if a match exists

Something else that will help, that’s on our backlog (not sure on the ETA). We are going to have the email plugins pump this information out automatically at some point. URLs, Emails, Links, etc… as indicators to more easily feed into your other threat hunting tools.

With pattern-match, it constructs the outputs from the regex. The idea is you write regular regex, then reformat the capture groups into “ICON capture groups” that contain a name. This name becomes the variable output by the step.

For example, you have a list of vulnerabilities like this:
Vulnerability: CVE-2017-0108
Vulnerability: CVE-2019-9098

You’d use regular regex to extract the CVE like so: Vulnerability:\s+(CVE-\d{4}-\d{4})
In ICON, to extract the CVE into a variable called CVE, you’d replace the ( with {{CVE:/ and the ) with /}} so you’re regex would be Vulnerability:\s+{{CVE:/CVE-\d{4}-\d{4}/}}

Once you’ve put an “ICON named capture group” inside the regex, the step output will automatically update to include the variable. If you select “multiple matches” checkbox, it’ll output an array of strings for the variable. If “multiple matches” is unchecked, it’ll output just a string with the first match.