Entity Enrichment - Generic v2

Enriches entities using one or more integrations.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Email Address Enrichment - Generic v2.1
  • Domain Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • IP Enrichment - Generic v2
  • Endpoint Enrichment - Generic v2.1
  • URL Enrichment - Generic v2
  • File Enrichment - Generic v2

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

This playbook does not use any commands.

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
IPThe IP addresses to enrich.AddressIPOptional
InternalRangeThe list of internal IP address ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, the integration will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).--Optional
MD5The MD5 hash to enrich.MD5FileOptional
SHA256The SHA256 hash to enrich.SHA256FileOptional
SHA1The SHA1 hash to enrich.SHA1FileOptional
URLThe URL to enrich.DataURLOptional
EmailThe email addresses to enrich.Email.AddressAccountOptional
HostnameThe hostname to enrich.HostnameEndpointOptional
UsernameThe username to enrich .UsernameAccountOptional
DomainThe domain name to enrich.NameDomainOptional
ResolveIPWhether the IP address "Enrichment - Generic" playbook should convert IP addresses to hostnames using a DNS query. Can be either, "True" or "False".False-Optional
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is "Internal" or "External".--Optional

Playbook Outputs


PathDescriptionType
IPThe IP address object.unknown
EndpointThe endpoint object.unknown
Endpoint.HostnameThe hostname that was enriched.string
Endpoint.OSThe endpoint's operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
FileThe file object.unknown
File.SHA1The SHA1 hash of the file.string
File.SHA256The SHA256 hash of the file.string
File.MD5The MD5 hash of the file.string
File.MaliciousWhether the file is malicious.unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
URLThe URL object.uknown
URL.DataThe enriched URL.string
URL.MaliciousWhether the detected URL was malicious.unknown
URL.VendorThe vendor that labeled the URL as malicious.string
URL.DescriptionAdditional information for the URL.string
DomainThe domain object.unknown
AccountThe account object.unknown
Account.EmailThe email of the account.unknown
Account.Email.NetworkTypeThe email account networktype. Can be, "Internal" or "External".string
Account.Email.DistanceThe object that contains the distance between the email domain and the compared domain.unknown
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
ActiveDirectory.UsersAn object containing information about the user from Active Directory.unknown
ActiveDirectory.Users.sAMAccountNameThe user's samAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user's account control flag.unknown
ActiveDirectory.Users.mailThe user's email address.unknown
ActiveDirectory.Users.memberOfThe groups the user is a member of.unknown
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown

Playbook Image


Entity_Enrichment_Generic_v2