Skip to main content

Entity Enrichment - Phishing v2

This Playbook is part of the Phishing Pack.#

Enrich entities using one or more integrations


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Domain Enrichment - Generic v2
  • File Enrichment - Generic v2
  • IP Enrichment - External - Generic v2
  • URL Enrichment - Generic v2
  • Email Address Enrichment - Generic v2.1


This playbook does not use any integrations.


This playbook does not use any scripts.


This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPThe IP addresses to enrichIP.AddressOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional
MD5File MD5 to enrichFile.MD5Optional
SHA256File SHA256 to enrichFile.SHA256Optional
SHA1File SHA1 to enrichFile.SHA1Optional
URLURL to enrichURL.DataOptional
EmailThe email addresses to enrichAccount.Email.AddressOptional
HostnameThe hostname to enrichEndpoint.HostnameOptional
UsernameThe Username to enrichAccount.UsernameOptional
DomainThe domain name to enrichDomain.NameOptional
ResolveIPDetermines whether the IP Enrichment - Generic playbook should convert IP addresses to hostnames using a DNS query. You can set this to either True or False.FalseOptional
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is internal or external.Optional

Playbook Outputs#

IPThe IP object.unknown
EndpointThe endpoint object.unknown
Endpoint.HostnameThe hostname that was enriched.string
Endpoint.OSThe endpoint's operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorVendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
FileThe file object.unknown
File.SHA1SHA1 hash of the file.string
File.SHA256SHA256 hash of the file.string
File.MD5MD5 hash of the file.string
File.MaliciousWhether the file is malicious.unknown
File.Malicious.VendorFor malicious files, the vendor that made the decision.string
URLThe URL object.uknown
URL.DataThe enriched URL.string
URL.MaliciousWhether the detected URL was malicious.unknown
URL.VendorVendor that labeled the URL as malicious.string
URL.DescriptionAdditional information for the URL.string
DomainThe domain object.unknown
AccountThe account object.unknown
Account.EmailThe email of the account.unknown
Account.Email.NetworkTypeThe email account NetworkType (Internal/External).string
Account.Email.DistanceThe object that contains the distance between the email domain and the compared domain.unknown
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
ActiveDirectory.UsersAn object containing information about the user from Active Directory.unknown
ActiveDirectory.Users.sAMAccountNameThe user's samAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user's account control flag.unknown
ActiveDirectory.Users.mailThe user's email address.unknown
ActiveDirectory.Users.memberOfGroups the user is a member of.unknown
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown

Playbook Image#

Entity Enrichment - Phishing v2