Skip to main content

Cortex XDR - Cloud Enrichment

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout.

The playbook collects or enriches the following data:

  • Resource enrichment
    • Previous activity seen in the specified region or project
  • Account enrichment
  • Network enrichment
    • Attacker IP
    • Geolocation
    • ASN


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic v2.1
  • IP Enrichment - Generic v2


This playbook does not use any integrations.


  • Set
  • IsInCidrRanges
  • CopyContextToField
  • If-Then-Else


  • ip
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).TrueOptional
InternalRangeA list of internal IP ranges to check IP addresses against. \nFor IP Enrichment - Generic v2 playbook.lists.PrivateIPsOptional

Playbook Outputs#

IPThe IP objects.unknown
DBotScoreIndicator, Score, Type, Vendor.unknown
AccountThe account object.unknown
IAMGeneric IAM output.unknown
ASNTypeChecks for cloud ASNs.unknown
isKnownRegionChecks if any recent activity was seen in the region.unknown
isKnownProjectChecks if any recent activity was seen in the project.unknown
resourceCountInvolved resource count.unknown
uniqueRegionCountInvolved region distinct count.unknown

Playbook Image#

Cortex XDR - Cloud Enrichment