IP Enrichment - External - Generic v2

Enriches IP addresses using one or more integrations.

  • Resolve IP addresses to hostnames (DNS)
  • Provide threat information
  • Separate internal and external addresses

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

  • VirusTotal - Private API

Scripts

  • IPToHost
  • IsIPInRanges

Commands

  • threat-crowd-ip
  • vt-private-get-ip-report

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
IPThe IP address to enrich.AddressIPOptional
InternalRangeA CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).inputs.InternalRange-Optional
ResolveIPWhether to convert the IP address to a hostname using a DNS query (True/False).Noneinputs.ResolveIPRequired

Playbook Outputs


PathDescriptionType
IPThe IP address objects.unknown
DBotScoreThe Indicator, Score, Type, and Vendor.unknown
EndpointThe Endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSThe Endpoint operating system.string
Endpoint.IPA list of Endpoint IP addresses.unknown
Endpoint.MACA list of Endpoint MAC addresses.unknown
Endpoint.DomainThe Endpoint domain name.string

Playbook Image


IP_Enrichment_External_Generic_v2