Access Investigation - Generic

Investigates an access incident by gathering the user and IP address information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic
  • IP Enrichment - Generic


  • Builtin


  • AssignAnalystToIncident
  • EmailAskUser
  • ADGetUser


  • setIncident
  • closeInvestigation

Playbook Inputs

NameDescriptionDefault ValueSourceRequired
SrcIPThe source IP address from which the incident originated.srcincidentOptional
DstIPThe target IP address that was accessed.destincidentOptional
UsernameThe username of the account that was used to access the destination IP address.srcuserincidentOptional
RoleThe default role to assign the incident to.Administrator-Required

Playbook Outputs

Account.Email.AddressThe email address object associated with the account.string
DBotScoreThe indicator, score, type, and vendor.unknown
Account.IDThe unique account DN (Distinguished Name).string
Account.UsernameThe account username.string
Account.EmailThe email address associated with the acount.unknown
Account.TypeType of the acount entity.string
Account.GroupsThe groups the acount is part of.unknown
AccountThe account object.unknown
Account.DisplayNameThe account display name.string
Account.ManagerThe account's manager.string
DBotScore.IndicatorThe indicator value.string
DBotScore.TypeThe indicator's type.string
DBotScore.VendorThe indicator's vendor.string
DBotScore.ScoreThe indicator's score.number
IPThe IP address objects.unknown
EndpointThe Endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSThe endpoint OS.string
Endpoint.IPThe list of endpoint IP addresses.unknown
Endpoint.MACThe list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string

Playbook Image