Entity Enrichment - Phishing v2
Phishing Pack.#
This Playbook is part of theEnriches entities using one or more integrations.
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- File Enrichment - Generic v2
- Email Address Enrichment - Generic v2.1
- URL Enrichment - Generic v2
- IP Enrichment - External - Generic v2
- Domain Enrichment - Generic v2
#
IntegrationsThis playbook does not use any integrations.
#
ScriptsThis playbook does not use any scripts.
#
CommandsThis playbook does not use any commands.
#
Playbook InputsName | Description | Default Value | Source | Required |
---|---|---|---|---|
IP | The IP addresses to enrich. | Address | IP | Optional |
InternalRange | The list of internal IP address ranges to check the IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, the integration will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges). | 172.16.0.0/12,10.0.0.0/8,192.168.0.0/16 | - | Optional |
MD5 | The MD5 hash to enrich. | MD5 | File | Optional |
SHA256 | The SHA256 has to enrich. | SHA256 | File | Optional |
SHA1 | The SHA1 hash to enrich. | SHA1 | File | Optional |
URL | The URL to enrich. | Data | URL | Optional |
The email addresses to enrich. | Email.Address | Account | Optional | |
Hostname | The hostname to enrich. | Hostname | Endpoint | Optional |
Username | The Username to enrich. | Username | Account | Optional |
Domain | The domain name to enrich. | Name | Domain | Optional |
ResolveIP | Whether the IP addess "Enrichment - Generic" playbook should convert IP addresses to hostnames using a DNS query. Can be, "True" or "False". | False | - | Optional |
InternalDomains | A CSV list of internal domains. The list will be used to determine whether an email address is "Internal" or "External". | Internal | - | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
IP | The IP object. | unknown |
Endpoint | The endpoint object. | unknown |
Endpoint.Hostname | The hostname that was enriched. | string |
Endpoint.OS | The endpoint's operating system. | string |
Endpoint.IP | A list of endpoint IP addresses. | unknown |
Endpoint.MAC | A list of endpoint MAC addresses. | unknown |
Endpoint.Domain | The endpoint domain name. | string |
DBotScore | The DBotScore object. | unknown |
DBotScore.Indicator | The indicator that was tested. | string |
DBotScore.Type | The indicator type. | string |
DBotScore.Vendor | The vendor used to calculate the score. | string |
DBotScore.Score | The actual score. | number |
File | The file object. | unknown |
File.SHA1 | The SHA1 hash of the file. | string |
File.SHA256 | The SHA256 hash of the file. | string |
File.MD5 | The MD5 hash of the file. | string |
File.Malicious | Whether the file is malicious. | unknown |
File.Malicious.Vendor | The vendor that made the decision that the file is malicious. | string |
URL | The URL object. | uknown |
URL.Data | The enriched URL. | string |
URL.Malicious | Whether the detected URL was malicious. | unknown |
URL.Vendor | The vendor that labeled the URL as malicious. | string |
URL.Description | The additional information for the URL. | string |
Domain | The domain object. | unknown |
Account | The account object. | unknown |
Account.Email | The email of the account. | unknown |
Account.Email.NetworkType | The email account NetworkType. Can be, "Internal" or "External". | string |
Account.Email.Distance | The object that contains the distance between the email domain and the compared domain. | unknown |
Account.Email.Distance.Domain | The compared domain. | string |
Account.Email.Distance.Value | The distance between the email domain and the compared domain. | number |
ActiveDirectory.Users | An object containing information about the user from Active Directory. | unknown |
ActiveDirectory.Users.sAMAccountName | The user's samAccountName. | unknown |
ActiveDirectory.Users.userAccountControl | The user's account control flag. | unknown |
ActiveDirectory.Users.mail | The user's email address. | unknown |
ActiveDirectory.Users.memberOf | The groups that the user is a member of. | unknown |
CylanceProtectDevice | The device information about the hostname that was enriched using Cylance Protect v2. | unknown |