Skip to main content

Enrichment for Verdict

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook checks prior alert closing reasons and performs enrichment and prevalence checks on different IOC types. It then returns the information needed to establish the alert's verdict.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • URL Enrichment - Generic v2
  • File Reputation
  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • Get prevalence for IOCs
  • Domain Enrichment - Generic v2


This playbook does not use any integrations.


  • Set
  • SearchIncidentsV2


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
thresholdThe number of previous alerts that were closed as false positive alerts. This threshold establishes whether the Previous Verdict key will be marked as false positive.2Optional
queryA query for the previous alerts search.
Use free form query (Lucene syntax) as a filter. All other filters are ignored when this filter is used.
(initiatorsha256:${inputs.FileSHA256} or hostip:${inputs.IP}) and sourceBrand:"${alert.sourceBrand}" and name:"${}"Optional
CloseReasonThe closing reason of the previous alerts to search for.
Possible values are:
- Resolved - Threat Handled
- Resolved - True Positive
- Resolved - False Positive
- Resolved - Security Testing
- Resolved - Known Issue
- Resolved - Duplicate Incident
- Resolved - Other
- Resolved - Auto
Resolved - False Positive,Resolved - Duplicate Incident,Resolved - Known IssueOptional
FileSHA256File SHA256 to enrich and give verdict.alert.initiatorsha256Optional
IPIP address to enrich and give verdict.alert.hostipOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges is: ",," (without quotes).lists.PrivateIPsOptional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).Optional
URLURL to enrich and give verdict.alert.urlOptional
UserUser to enrich and give verdict. (AWS IAM or Active Directory).alert.usernameOptional
DomainDomain to enrich and give verdict.alert.domainnameOptional
CommandLineThe CMD to run the prevalence check.Optional
ProcessNameThe process name to run the prevalence check.Optional
RegistryKeyThe registry key to run the prevalence check. The input registry value must be provided as well.Optional
RegistryValueThe registry value to run prevalence check. The input registry key must be provided as well.Optional
UseReputationCommandSet 'True' to use the reputation commands (!ip, !domain, !url) to enrich the IP, URL, and domain.TrueOptional

Playbook Outputs#

PreviousVerdictSuspected verdict for previous alerts.string
VTFileVerdictCheck for VirusTotal verdict.unknown
NSRLFileVerdictCheck for the file presence in NSRL DB.unknown
VTFileSignersCheck VirusTotal if the file is signed by a trusted publisher.unknown
XDRFileSignersCheck XDR alert if the file is signed by a trusted publisher.unknown
IPThe IP objects.unknown
DBotScoreIndicator's dbot Score, dbot Type and Vendor.unknown
EndpointThe endpoint's object.unknown
URLThe URL object.uknown
AWS.IAM.UsersAWS IAM user information.unknown
AWS.IAM.Users.AccessKeysAWS IAM user access keys information.unknown
AccountThe account object.unknown
ActiveDirectory.UsersActive Directory user information.unknown
IPVerdictSpecifies whether the IP addresses were found as suspicious.unknown
URLVerdictSpecifies whether the URLs were found as suspicious.unknown
FileVerdictSpecifies whether the files were found as suspicious.unknown
WildFire.ReportWildFire report object.unknown
WildFire.Report.verdictThe verdict of the report.unknown
WildFire.Verdicts.VerdictVerdict of the file.unknown
WildFire.Verdicts.VerdictDescriptionDescription of the file verdict.unknown
DomainVerdictDomain verdictunknown
Core.AnalyticsPrevalence.Ip.valueWhether the IP address is prevalent or not.unknown global prevalence of the IP.unknown local prevalence of the IP.unknown
Core.AnalyticsPrevalence.Hash.valueWhether the hash is prevalent or not.unknown global prevalence of the hash.unknown local prevalence of the hash.unknown
Core.AnalyticsPrevalence.Domain.valueWhether the domain is prevalent or not.unknown global prevalence of the domain.unknown local prevalence of the domain.unknown
Core.AnalyticsPrevalence.Process.valueWhether the process is prevalent or not.unknown global prevalence of the process.unknown local prevalence of the process.unknown
Core.AnalyticsPrevalence.Registry.valueWhether the registry is prevalent or not.unknown global prevalence of the registry.unknown local prevalence of the registry.unknown
Core.AnalyticsPrevalence.Cmd.valueWhether the CMD is prevalent or not.unknown global prevalence of the CMD.unknown local prevalence of the CDM.unknown

Playbook Image#

Enrichment for Verdict