Skip to main content

Email Address Enrichment - Generic v2.1

This Playbook is part of the Common Playbooks Pack.#

Enrich email addresses.

  • Get information from Active Directory for internal addresses
  • Get the domain-squatting reputation for external addresses
  • Email address reputation using !email command


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • IsEmailAddressInternal
  • EmailDomainSquattingReputation
  • Exists


  • ad-get-user
  • email

Playbook Inputs#

NameDescriptionDefault ValueRequired
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is internal or external.inputs.InternalDomainsOptional
EmailThe email addresses to enrich.Account.Email.AddressOptional
DomainThe domains associated with the incident. These domains will be checked for domain-squatting.inputs.DomainOptional
UseReputationCommandDefine if you would like to use the !email command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.

Playbook Outputs#

AccountThe Account object.unknown
Account.Email.NetworkTypeThe email account NetworkType (Internal/External).string
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
DBotScoreThe DBotScore object.unknown

Playbook Image#

Email Address Enrichment - Generic v2.1