Skip to main content

Impossible Traveler - Enrichment

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following:

  • Geo location
  • Active Directory
  • IP enrichment e.g. VirusTotal, AbuseIPDB, etc.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Account Enrichment - Generic v2.1

Integrations#

  • CoreIOCs
  • CortexCoreIR

Scripts#

  • DeleteContext
  • Set
  • http
  • ParseJSON

Commands#

  • ip

Playbook Inputs#


NameDescriptionDefault ValueRequired
sourceipThe source IP to iterate over.Optional
usernameThe username to iterate over.Optional
domainThe organization domain.Optional

Playbook Outputs#


PathDescriptionType
ActiveDirectory.Users.managerThe manager of the user.unknown

Playbook Image#


Impossible Traveler - Enrichment