TIM - Run Enrichment For IP Indicators

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook processes indicators by enriching indicators based on the indicator feed's reputation, as specified in the playbook inputs. This playbook needs to be used with caution as it might use up the user enrichment integration's API license when running enrichment for large amounts of indicators.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

• Cymon
• Cylance_Protect
• Wildfire
• SecBI
• PhishMe
• SecurityAdvisor
• SlashNextPhishingIncidentResponse
• ArcSightESM
• CveInfo
• PaloAltoNetworksCortex
• LightCyberMagna
• jira
• DemistoLocking
• Malwr
• AzureCompute
• AzureSecurityCenter
• MISP
• AzureSecurityCenter_v2
• cisco-ise
• DemistoRESTAPI
• secdo
• Mimecast
• RiskSense
• Panorama
• KeyLight
• SymantecEndpointProtectionDeprecated
• Kenna
• Intezer
• BPA
• AzureCompute_v2
• Flashpoint
• PostgreSQL
• opswat-metadefender
• Mimecast-Auth
• Lastline
• Shodan
• PaloAltoNetworks_Traps
• PaloAlto_MineMeld
• AlienVaultOTX
• aws
• PaloAltoNetworks_PAN_OS_EDL_Management
• ProofpointTAP
• ExtraHop
• Pwned

Scripts

This playbook does not use any scripts.

Commands

• ip

Playbook Inputs

---

Name	Description	Default Value	Required
Indicator Query	Indicators matching the indicator query will be used as playbook input		Optional
EnrichBadIndicators	Enter a value of True to enrich indicators whose reputation from the feed is bad.		Optional
EnrichGoodIndicators	Enter a value of True to enrich indicators whose reputation from the feed is good.		Optional
EnrichSuspiciousIndicators	Enter a value of True to enrich indicators whose reputation from the feed is suspicious.		Optional
EnrichUnknownIndicators	Enter a value of True to enrich indicators whose reputation from the feed is unknown.		Optional

Playbook Outputs

---

There are no outputs for this playbook.

Playbook Image

---