Skip to main content

Entity Enrichment - Phishing v2

This Playbook is part of the Phishing Pack.#

Enriches entities using one or more integrations.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • File Enrichment - Generic v2
  • Email Address Enrichment - Generic v2.1
  • URL Enrichment - Generic v2
  • IP Enrichment - External - Generic v2
  • Domain Enrichment - Generic v2

Integrations#

This playbook does not use any integrations.

Scripts#

This playbook does not use any scripts.

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueSourceRequired
IPThe IP addresses to enrich.AddressIPOptional
InternalRangeThe list of internal IP address ranges to check the IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, the integration will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).172.16.0.0/12,10.0.0.0/8,192.168.0.0/16-Optional
MD5The MD5 hash to enrich.MD5FileOptional
SHA256The SHA256 has to enrich.SHA256FileOptional
SHA1The SHA1 hash to enrich.SHA1FileOptional
URLThe URL to enrich.DataURLOptional
EmailThe email addresses to enrich.Email.AddressAccountOptional
HostnameThe hostname to enrich.HostnameEndpointOptional
UsernameThe Username to enrich.UsernameAccountOptional
DomainThe domain name to enrich.NameDomainOptional
ResolveIPWhether the IP addess "Enrichment - Generic" playbook should convert IP addresses to hostnames using a DNS query. Can be, "True" or "False".False-Optional
InternalDomainsA CSV list of internal domains. The list will be used to determine whether an email address is "Internal" or "External".Internal-Optional

Playbook Outputs#


PathDescriptionType
IPThe IP object.unknown
EndpointThe endpoint object.unknown
Endpoint.HostnameThe hostname that was enriched.string
Endpoint.OSThe endpoint's operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainThe endpoint domain name.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
FileThe file object.unknown
File.SHA1The SHA1 hash of the file.string
File.SHA256The SHA256 hash of the file.string
File.MD5The MD5 hash of the file.string
File.MaliciousWhether the file is malicious.unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
URLThe URL object.uknown
URL.DataThe enriched URL.string
URL.MaliciousWhether the detected URL was malicious.unknown
URL.VendorThe vendor that labeled the URL as malicious.string
URL.DescriptionThe additional information for the URL.string
DomainThe domain object.unknown
AccountThe account object.unknown
Account.EmailThe email of the account.unknown
Account.Email.NetworkTypeThe email account NetworkType. Can be, "Internal" or "External".string
Account.Email.DistanceThe object that contains the distance between the email domain and the compared domain.unknown
Account.Email.Distance.DomainThe compared domain.string
Account.Email.Distance.ValueThe distance between the email domain and the compared domain.number
ActiveDirectory.UsersAn object containing information about the user from Active Directory.unknown
ActiveDirectory.Users.sAMAccountNameThe user's samAccountName.unknown
ActiveDirectory.Users.userAccountControlThe user's account control flag.unknown
ActiveDirectory.Users.mailThe user's email address.unknown
ActiveDirectory.Users.memberOfThe groups that the user is a member of.unknown
CylanceProtectDeviceThe device information about the hostname that was enriched using Cylance Protect v2.unknown

Playbook Image#


Entity_Enrichment_Phishing_v2