Cortex XDR - Cloud Enrichment
This Playbook is part of the Cortex XDR by Palo Alto Networks Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout.
The playbook collects or enriches the following data:
- Resource enrichment
- Previous activity seen in the specified region or project
- Account enrichment
- Network enrichment
- Attacker IP
- Geolocation
- ASN
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
Integrations#
- Whois
Scripts#
- If-Then-Else
- Set
- CopyContextToField
- IsInCidrRanges
Commands#
- setIncident
- ip
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query (True/ False). | True | Optional |
| InternalRange | A list of internal IP ranges to check IP addresses against. \nFor IP Enrichment - Generic v2 playbook. | Optional |
Playbook Outputs#
| Path | Description | Type |
|---|---|---|
| IP | The IP objects | unknown |
| DBotScore | Indicator, Score, Type, Vendor | unknown |
| Account | The account object. | unknown |
| IAM | Generic IAM output. | unknown |
| ASNType | Checks for cloud ASNs. | unknown |
| isKnownRegion | Checks if any recent activity was seen in the region. | unknown |
| isKnownProject | Checks if any recent activity was seen in the project. | unknown |
| resourceCount | Involved resource count. | unknown |
| uniqueRegionCount | Involved region distinct count. | unknown |
Playbook Image#
