Skip to main content

Impossible Traveler - Enrichment

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following:

  • Geo location
  • Active Directory
  • IP enrichment e.g. VirusTotal, AbuseIPDB, etc.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic v2.1


  • CoreIOCs
  • CortexCoreIR


  • DeleteContext
  • Set
  • http
  • ParseJSON


  • ip

Playbook Inputs#

NameDescriptionDefault ValueRequired
sourceipThe source IP to iterate over.Optional
usernameThe username to iterate over.Optional
domainThe organization domain.Optional

Playbook Outputs#

ActiveDirectory.Users.managerThe manager of the user.unknown

Playbook Image#

Impossible Traveler - Enrichment