Skip to main content

Impossible Traveler - Enrichment

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert and enriches them based on the following:

  • Geo location
  • Active Directory
  • Verdict enrichment e.g. VirusTotal, AbuseIPDB, etc.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Active Directory - Get User Manager Details

Integrations#

  • CoreIOCs
  • CortexCoreIR

Scripts#

  • http
  • Set
  • DeleteContext
  • ParseJSON

Commands#

  • ip
  • ad-get-user

Playbook Inputs#


NameDescriptionDefault ValueRequired
sourceipThe source IP to iterate overOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


Impossible Traveler - Enrichment