Skip to main content

Email Address Enrichment - Generic v2.1

This Playbook is part of the Common Playbooks Pack.#

Enrich email addresses.

  • Get information from Active Directory for internal addresses
  • Get the domain-squatting reputation for external addresses
  • Email address reputation using !email command


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • IsEmailAddressInternal
  • EmailDomainSquattingReputation
  • Exists


  • email
  • ad-get-user

Playbook Inputs#

NameDescriptionDefault ValueRequired
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is internal or external.Optional
EmailThe email addresses to enrich.Account.Email.AddressOptional
DomainThe domains associated with the incident. These domains will be checked for domain-squatting.Optional
UseReputationCommandDefine if you would like to use the !email command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.
The default value is false.

Playbook Outputs#

AccountThe Account object.unknown
Account.Email.NetworkTypeThe email account NetworkType (Internal/External).string
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
DBotScoreThe DBotScore object.unknown
Account.Email.UsernameThe Email account usernamestring
Account.Email.DomainThe Email account domainstring
ActiveDirectory.Users.dnThe user distinguished name.unknown
ActiveDirectory.Users.displayNameThe user display name.unknown
ActiveDirectory.Users.nameThe user common name.unknown
ActiveDirectory.Users.sAMAccountNameThe user sAMAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user account control flag.unknown
ActiveDirectory.Users.managerThe manager of the user.unknown
ActiveDirectory.Users.memberOfGroups in which the user is a member.unknown
ActiveDirectory.Users.userAccountControlFields.SCRIPTWhether the login script is run. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLEWhether the user account is disabled. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIREDWhether the home folder is required. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.LOCKOUTWhether the user is locked out. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQDWhether the password is required. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGEWhether the user can change the password. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWEDWhether the user can send an encrypted password. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNTWhether this is an account for users whose primary account is in another domain. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNTWhether this is a default account type that represents a typical user. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNTWhether the account is permitted to trust a system domain that trusts other domains. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNTWhether this is a computer account for a computer running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.unknown
ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNTWhether this is a computer account for a domain controller that is a member of this domain. Works for *Windows Server 2012 R2*.unknown
ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORDWhether to never expire the password on the account.unknown
ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNTWhether this is an MNS login account.unknown
ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIREDWhether to force the user to log in by using a smart card.unknown
ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATIONWhether the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.unknown
ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATEDWhether the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.unknown
ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLYWhether to restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.unknown
ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTHWhether this account require Kerberos pre-authentication for logging on.unknown
ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIREDWhether the user password expired.unknown
ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATIONWhether the account is enabled for delegation.unknown
ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNTWhether the account is a read-only domain controller (RODC).unknown
ActiveDirectory.UsersPageCookieAn opaque string received in a paged search, used for requesting subsequent entries.unknown
Account.DisplayNameThe user display name.unknown
Account.GroupsGroups for which the user is a member.unknown
Account.ManagerThe user manager.unknown
Account.IDThe user distinguished name.unknown
Account.UsernameThe user samAccountName.unknown
Account.EmailThe user email address.unknown
ActiveDirectory.Users.mailThe user email address.unknown
Account.Email.AddressThe Email account full addressstring
Account.Email.DistanceThe email address distance compare to the domains in query.number
DBotScore.IndicatorThe Indicator.string
DBotScore.TypeThe Indicator Type.string
DBotScore.VendorThe DBot score vendor.string
DBotScore.ScoreThe DBot score.number
DBotScore.ReliabilityThe actual score.unknown
Email.Relationships.EntityAThe source of the relationship.unknown
Email.Relationships.EntityBThe destination of the relationship.unknown
Email.Relationships.RelationshipThe name of the relationship.unknown
Email.Relationships.EntityATypeThe type of the source of the relationship.unknown
Email.Relationships.EntityBTypeThe type of the destination of the relationship.unknown

Playbook Image#

Email Address Enrichment - Generic v2.1