Skip to main content

Impossible Traveler - Enrichment

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert, and enriches them based on the following:

  • Geo location
  • Active Directory
  • IP enrichment e.g. VirusTotal, AbuseIPDB, etc.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Account Enrichment - Generic v2.1


  • CortexCoreIR
  • CoreIOCs


  • http
  • Set
  • DeleteContext
  • ParseJSON


  • ip

Playbook Inputs#

NameDescriptionDefault ValueRequired
sourceipThe source IP to iterate over.Optional
usernameThe username to iterate over.Optional
domainThe organization domain.Optional

Playbook Outputs#

ActiveDirectory.Users.managerThe manager of the user.unknown
IPThe IP enrichment results.unknown
IP.GeoThe IP geo information.unknown
IP.MaliciousThe IP verdict.unknown
AbuseIPDB.IPThe IP information retrieved from AbuseIPDB.unknown
AbuseIPDB.IP.GeoThe IP geo information.unknown
DBotScoreThe DBotScoreunknown
AbuseIPDB.IP.MaliciousThe IP verdict.unknown
AccountThe account object.unknown
ActiveDirectory.UsersThe AD users.unknown
MSGraphUserThe user information retrieved from MSGraphUserunknown
MSGraphUserManager.ManagerThe user's manager information retrieved from MSGraphUser.unknown

Playbook Image#

Impossible Traveler - Enrichment