Skip to main content

Entity Enrichment - Generic v4

This Playbook is part of the Use Case Builder Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.9.0 and later.

Enrich entities using one or more integrations.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Email Address Enrichment - Generic v2.1
  • IP Enrichment - Generic v2
  • Endpoint Enrichment - Generic v2.1
  • CVE Enrichment - Generic v2
  • Account Enrichment - Generic v2.1
  • File Enrichment - Generic v2
  • Domain Enrichment - Generic v2
  • URL Enrichment - Generic v2


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPThe IP addresses to enrichIP.AddressOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
MD5File MD5 to enrichFile.MD5Optional
SHA256File SHA256 to enrichFile.SHA256Optional
SHA1File SHA1 to enrichFile.SHA1Optional
URLURL to enrichURL.DataOptional
EmailThe email addresses to enrichAccount.Email.AddressOptional
HostnameThe hostname to enrichEndpoint.HostnameOptional
UsernameThe username to enrichAccount.UsernameOptional
DomainThe domain name to enrichDomain.NameOptional
ResolveIPDetermines whether the IP Enrichment - Generic playbook should convert IP addresses to hostnames using a DNS query. True - Resolves the IP addresses to hostnames. False - Does not resolve the IP addresses to hostnames.FalseOptional
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is internal or external.Optional
CVECVE ID to enrich.CVE.IDOptional
RasterizeURLShould the system take safe screenshots of input URLs?TrueOptional
VerifyURLShould the system perform SSL certificate verification on the URLs?FalseOptional
UseReputationCommandDefine if you would like to use the !file, !ip, !domain, !endpoint commands. If you want to set only specific commands run reputation, please leave this as False and edit the values inside entity enrichment playbook
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.

Playbook Outputs#

IPThe IP object.unknown
EndpointThe endpoint object.unknown
Endpoint.HostnameThe hostname that was enriched.string
Endpoint.OSThe endpoint's operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorVendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
FileThe file object.unknown
File.SHA1SHA1 hash of the file.string
File.SHA256SHA256 hash of the file.string
File.MD5MD5 hash of the file.string
File.MaliciousWhether the file is malicious.unknown
File.Malicious.VendorFor malicious files, the vendor that made the decision.string
URLThe URL object.uknown
URL.DataThe enriched URL.string
URL.MaliciousWhether the detected URL was malicious.unknown
URL.VendorVendor that labeled the URL as malicious.string
URL.DescriptionAdditional information for the URL.string
DomainThe domain object.unknown
AccountThe account object.unknown
Account.EmailThe email of the account.unknown
Account.Email.NetworkTypeThe email account NetworkType (Internal/External).string
Account.Email.DistanceThe object that contains the distance between the email domain and the compared domain.unknown
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
ActiveDirectory.UsersAn object containing information about the user from Active Directory.unknown
ActiveDirectory.Users.sAMAccountNameThe user's samAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user's account control flag.unknown
ActiveDirectory.Users.mailThe user's email address.unknown
ActiveDirectory.Users.memberOfGroups the user is a member of.unknown
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown

Playbook Image#

Entity Enrichment - Generic v4