Skip to main content

Email Address Enrichment - Generic v2.1

This Playbook is part of the Common Playbooks Pack.#

Enriches email addresses.

  • Get information from Active Directory for internal addresses
  • Get the domain-squatting reputation for external addresses


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • IsEmailAddressInternal
  • EmailDomainSquattingReputation
  • Exists


  • ad-get-user

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
InternalDomainsThe CSV list of internal domains. The list will be used to determine whether an email address is internal or external.Noneinputs.InternalDomainsOptional
EmailThe email addresses to enrich.Email.AddressAccountOptional
DomainThe domains associated with the incident. These domains will be checked for domain-squatting.Noneinputs.DomainOptional

Playbook Outputs#

AccountThe account object.unknown
Account.Email.NetworkTypeThe email account networktype. Can be, "Internal" or "External".string
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
DBotScoreThe DBotScore object.unknown

Playbook Image#