Skip to main content

Access Investigation - Generic

This Playbook is part of the Access Investigation Pack.#

This playbook investigates an access incident by gathering user and IP information.

The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Active Directory - Get User Manager Details
  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1


This playbook does not use any integrations.


  • EmailAskUser
  • AssignAnalystToIncident


  • setIncident
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
SrcIPThe source IP address from which the incident originated.incident.srcOptional
DstIPThe target IP address that was accessed.incident.destOptional
UsernameThe username of the account that was used to access the DstIP.incident.srcuserOptional
RoleThe default role to assign the incident to.AdministratorRequired
OnCallSet to true to assign only the users that are currently on shift. Requires Cortex XSOAR v5.5 or later.falseOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional

Playbook Outputs#

Account.Email.AddressThe email address object associated with the Accountstring
DBotScoreIndicator, Score, Type, Vendorunknown
Account.IDThe unique Account DN (Distinguished Name)string
Account.UsernameThe Account usernamestring
Account.EmailThe email address associated with the Accountunknown
Account.TypeType of the Account entitystring
Account.GroupsThe groups the Account is part ofunknown
AccountAccount objectunknown
Account.DisplayNameThe Account display namestring
Account.ManagerThe Account's managerstring
DBotScore.IndicatorThe indicator valuestring
DBotScore.TypeThe indicator's typestring
DBotScore.VendorThe indicator's vendorstring
DBotScore.ScoreThe indicator's scorenumber
IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Endpoint.HostnameThe hostname to enrichstring
Endpoint.OSEndpoint OSstring
Endpoint.IPList of endpoint IP addressesunknown
Endpoint.MACList of endpoint MAC addressesunknown
Endpoint.DomainEndpoint domain namestring

Playbook Image#

Access Investigation - Generic