Endpoint Enrichment - Generic v2.1

Enriches an endpoint by hostname using one or more integrations.

Supported integrations:

  • Active Directory Query v2
  • McAfee ePolicy Orchestrator
  • Carbon Black Enterprise Response v2
  • Cylance Protect v2
  • CrowdStrike Falcon Host
  • ExtraHop Reveal(x)

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Endpoint Enrichment - Cylance Protect v2

Integrations

  • epo
  • carbonblack-v2
  • Active Directory Query v2

Scripts

  • Exists

Commands

  • epo-find-system
  • extrahop-device-search
  • cb-sensor-info
  • ad-get-computer
  • cs-device-details
  • cs-device-search

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
HostnameThe hostname of the endpoint to enrich.HostnameEndpointOptional

Playbook Outputs


PathDescriptionType
EndpointThe endpoint object of the endpoint that was enriched.unknown
Endpoint.HostnameThe hostnames of the endpoints that were enriched.string
Endpoint.OSThe operating systems running on the endpoints that were enriched.string
Endpoint.IPA list of the IP addresses of the endpoints.unknown
Endpoint.MACA list of the MAC addresses of the endpoints that were enriched.unknown
Endpoint.DomainThe domain names of the endpoints that were enriched.string
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown
ExtraHop.Device.MacaddrThe MAC Address of the device.String
ExtraHop.Device.DeviceClassThe class of the device.String
ExtraHop.Device.UserModTimeThe time of the most recent update, expressed in milliseconds since the epoch.Number
ExtraHop.Device.AutoRoleThe role automatically detected by the ExtraHop.String
ExtraHop.Device.ParentIdThe ID of the parent device.Number
ExtraHop.Device.VendorThe device vendor.String
ExtraHop.Device.AnalysisThe level of analysis preformed on the device.string
ExtraHop.Device.DiscoveryIdThe UUID given by the Discover appliance.String
ExtraHop.Device.DefaultNameThe default name of the device.String
ExtraHop.Device.DisplayNameThe display name of device.String
ExtraHop.Device.OnWatchlistWhether the device is on the advanced analysis whitelist.Boolean
ExtraHop.Device.ModTimeThe time of the most recent update, expressed in milliseconds since the epoch.Number
ExtraHop.Device.IsL3Indicates whether the device is a Layer 3 device.Boolean
ExtraHop.Device.RoleThe role of the device.String
ExtraHop.Device.DiscoverTimeThe time that the device was discovered.Number
ExtraHop.Device.IdThe ID of the device.Number
ExtraHop.Device.Ipaddr4The IPv4 address of the device.String
ExtraHop.Device.VlanidThe ID of VLan.Number
ExtraHop.Device.Ipaddr6The IPv6 address of the device.string
ExtraHop.Device.NodeIdThe Node ID of the Discover appliance.number
ExtraHop.Device.DescriptionA user customizable description of the device.string
ExtraHop.Device.DnsNameThe DNS name associated with the device.string
ExtraHop.Device.DhcpNameThe DHCP name associated with the device.string
ExtraHop.Device.CdpNameThe Cisco Discovery Protocol name associated with the device.string
ExtraHop.Device.NetbiosNameThe NetBIOS name associated with the device.string
ExtraHop.Device.UrlLink to the device details page in ExtraHop.string

Playbook Image


Endpoint_Enrichment_Generic_v2.1