Skip to main content

Impossible Traveler - Enrichment

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook get as an input all of the involved IP addresses and identities from the Impossible Traveler playbook alert and enriches them based on the following:

  • Geo location
  • Active Directory
  • Verdict enrichment e.g. VirusTotal, AbuseIPDB, etc.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Active Directory - Get User Manager Details


  • CoreIOCs
  • CortexCoreIR


  • http
  • Set
  • DeleteContext
  • ParseJSON


  • ip
  • ad-get-user

Playbook Inputs#

NameDescriptionDefault ValueRequired
sourceipThe source IP to iterate overOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Impossible Traveler - Enrichment