Skip to main content

Entity Enrichment - Generic v3

This Playbook is part of the Common Playbooks Pack.#

Enrich entities using one or more integrations.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • IP Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • Email Address Enrichment - Generic v2.1
  • Domain Enrichment - Generic v2
  • Endpoint Enrichment - Generic v2.1
  • File Enrichment - Generic v2
  • URL Enrichment - Generic v2
  • CVE Enrichment - Generic v2


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPThe IP addresses to enrichIP.AddressOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional
MD5File MD5 to enrichFile.MD5Optional
SHA256File SHA256 to enrichFile.SHA256Optional
SHA1File SHA1 to enrichFile.SHA1Optional
URLURL to enrichURL.DataOptional
EmailThe email addresses to enrichAccount.Email.AddressOptional
HostnameThe hostname to enrichEndpoint.HostnameOptional
UsernameThe username to enrichAccount.UsernameOptional
DomainThe domain name to enrichDomain.NameOptional
ResolveIPDetermines whether the IP Enrichment - Generic playbook should convert IP addresses to hostnames using a DNS query. True - Resolves the IP addresses to hostnames. False - Does not resolve the IP addresses to hostnames.FalseOptional
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is internal or external.Optional
CVECVE ID to enrich.CVE.IDOptional
URLSSLVerificationWhether to verify SSL certificates for URLs.
Can be True or False.
UseReputationCommandWhether to execute the reputation command on the indicator.FalseOptional
AccountDomainOptional - This input is needed for the IAM-get-user command (used in the Account Enrichment - IAM playbook). Please provide the domain name that the user is related to.

Playbook Outputs#

IPThe IP object.unknown
EndpointThe endpoint object.unknown
Endpoint.HostnameThe hostname that was enriched.string
Endpoint.OSThe endpoint's operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorVendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
FileThe file object.unknown
File.SHA1SHA1 hash of the file.string
File.SHA256SHA256 hash of the file.string
File.MD5MD5 hash of the file.string
File.MaliciousWhether the file is malicious.unknown
File.Malicious.VendorFor malicious files, the vendor that made the decision.string
URLThe URL object.uknown
URL.DataThe enriched URL.string
URL.MaliciousWhether the detected URL was malicious.unknown
URL.VendorVendor that labeled the URL as malicious.string
URL.DescriptionAdditional information for the URL.string
DomainThe domain object.unknown
AccountThe account object.unknown
Account.EmailThe email of the account.unknown
Account.Email.NetworkTypeThe email account NetworkType (Internal/External).string
Account.Email.DistanceThe object that contains the distance between the email domain and the compared domain.unknown
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
ActiveDirectory.UsersAn object containing information about the user from Active Directory.unknown
ActiveDirectory.Users.sAMAccountNameThe user's samAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user's account control flag.unknown
ActiveDirectory.Users.mailThe user's email address.unknown
ActiveDirectory.Users.memberOfGroups the user is a member of.unknown
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown
PaloAltoNetworksXDR.RiskyUserThe account object.string
PaloAltoNetworksXDR.RiskyUser.typeForm of identification element.string
PaloAltoNetworksXDR.RiskyUser.idIdentification value of the type field.string
PaloAltoNetworksXDR.RiskyUser.scoreThe score assigned to the user.string
PaloAltoNetworksXDR.RiskyUser.reasonsThe account risk objects.string createdDate when the incident was created.string
PaloAltoNetworksXDR.RiskyUser.reasons.descriptionDescription of the incident.string
PaloAltoNetworksXDR.RiskyUser.reasons.severityThe severity of the incident.string
PaloAltoNetworksXDR.RiskyUser.reasons.statusThe incident status.string
PaloAltoNetworksXDR.RiskyUser.reasons.pointsThe score.string
PaloAltoNetworksXDR.RiskyHostThe endpoint object.string
PaloAltoNetworksXDR.RiskyHost.typeForm of identification element.string
PaloAltoNetworksXDR.RiskyHost.idIdentification value of the type field.string
PaloAltoNetworksXDR.RiskyHost.scoreThe score assigned to the host.string
PaloAltoNetworksXDR.RiskyHost.reasonsThe endpoint risk objects.string createdDate when the incident was created.string
PaloAltoNetworksXDR.RiskyHost.reasons.descriptionDescription of the incident.string
PaloAltoNetworksXDR.RiskyHost.reasons.severityThe severity of the incident.string
PaloAltoNetworksXDR.RiskyHost.reasons.statusThe incident status.string
PaloAltoNetworksXDR.RiskyHost.reasons.pointsThe score.string
CoreAn object containing risky users and risky hosts as identified by the Core ITDR module.unknown
Core.RiskyUserThe risky user object.unknown
Core.RiskyUser.typeForm of identification element.unknown
Core.RiskyUser.idIdentification value of the type field.unknown
Core.RiskyUser.scoreThe score assigned to the user.unknown
Core.RiskyUser.reasonsThe reasons for the user risk level.unknown createdDate when the incident was created.unknown
Core.RiskyUser.reasons.descriptionDescription of the incident.unknown
Core.RiskyUser.reasons.severityThe severity of the incident.unknown
Core.RiskyUser.reasons.statusThe incident status.unknown
Core.RiskyUser.reasons.pointsThe score.unknown
Core.EndpointThe endpoint object.unknown
Core.RiskyHostThe risky host object.unknown
Core.Endpoint.endpoint_idThe endpoint ID.unknown
Core.Endpoint.endpoint_nameThe endpoint name.unknown
Core.Endpoint.endpoint_typeThe endpoint type.unknown
Core.Endpoint.endpoint_statusThe status of the endpoint.unknown
Core.Endpoint.os_typeThe endpoint OS type.unknown
Core.Endpoint.ipA list of IP addresses.unknown
Core.Endpoint.usersA list of users.unknown
Core.Endpoint.domainThe endpoint domain.unknown
Core.Endpoint.aliasThe endpoint's aliases.unknown
Core.Endpoint.first_seenFirst seen date/time in Epoch (milliseconds).unknown
Core.Endpoint.last_seenLast seen date/time in Epoch (milliseconds).unknown
Core.Endpoint.content_versionContent version.unknown
Core.Endpoint.installation_packageInstallation package.unknown
Core.Endpoint.active_directoryActive directory.unknown
Core.Endpoint.install_dateInstall date in Epoch (milliseconds).unknown
Core.Endpoint.endpoint_versionEndpoint version.unknown
Core.Endpoint.is_isolatedWhether the endpoint is isolated.unknown
Core.Endpoint.group_nameThe name of the group to which the endpoint belongs.unknown
Core.RiskyHost.typeForm of identification element.unknown
Core.RiskyHost.idIdentification value of the type field.unknown
Core.RiskyHost.scoreThe score assigned to the host.unknown
Core.RiskyHost.reasonsThe reasons for the risk level.unknown createdDate when the incident was created.unknown
Core.RiskyHost.reasons.descriptionDescription of the incident.unknown
Core.RiskyHost.reasons.severityThe severity of the incident.unknown
Core.RiskyHost.reasons.statusThe incident status.unknown
Core.RiskyHost.reasons.pointsThe score.unknown

Playbook Image#

Entity Enrichment - Generic v3