The core issue described isexcessive indicator extraction, causing rate-limit exhaustion on reputation services and overpopulation of indicators within the incident. According to XSOAR’s Indicator Extraction documentation, task-level extraction settings override incident-level defaults. Here, Task 1 (ad-get-user) is configured withIndicator Extract Mode: Inline, meaning every attribute returned by Active Directory—often extremely large datasets—triggers automatic IOC extraction. This leads to unnecessary extraction of usernames, metadata, and system fields that are not threat indicators, resulting in inflated indicator counts and reputation lookups.

Setting Task 1’s extraction mode toNoneprevents extraction of indicators from this verbose command, preventing both rate limiting and IOC bloating.

Changing incident-type defaults (A) does not override explicit task-level extraction. Setting extraction to inline on ServiceNow (C) worsens the problem. Disabling “mark results as notes” (D) has no effect on extraction; notes only influence whether context is stored.

Therefore, per XSOAR’s documented extraction hierarchy, the correct mitigation is to setad-get-user → Indicator Extract Mode = None, makingBthe correct answer.