Skip to main content

IP Enrichment - External - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Enrich IP addresses using one or more integrations.

  • Resolve IP addresses to hostnames (DNS).
  • Provide threat information.
  • IP address reputation using !ip command.
  • Separate internal and external addresses.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • VirusTotal - Private API

Scripts#

  • IPToHost
  • IsIPInRanges

Commands#

  • ip
  • vt-private-get-ip-report

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPThe IP address to enrich.IP.AddressOptional
InternalRangeA CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).172.16.0.0/12,10.0.0.0/8,192.168.0.0/16Optional
ResolveIPWhether to convert the IP address to a hostname using a DNS query (True/False).
The default value is true.
TrueRequired
UseReputationCommandDefine if you would like to use the !IP command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.
The default value is false.
FalseRequired
extended_dataDefine whether you want the generic reputation command to return extended data (last_analysis_results).
Possible values: True / False.
The default value is false.
FalseOptional
threat_model_associationDefine whether you wish to enhance generic reputation command to include additional information such as Threat Bulletins, Attack patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed.
Possible values: True / False.
The default value is false.
FalseOptional
ExecutedFromParentWhether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks.
Setting this to True will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks.

Set this to True in the parent playbook if you are using the parent playbook, as opposed to using the sub-playbooks directly in your playbooks, as this will improve the performance of the playbook and reduce the overfall size of the incident.
FalseOptional

Playbook Outputs#


PathDescriptionType
IPThe IP address objects.unknown
DBotScoreIndicator, Score, Type, and Vendor.unknown
EndpointThe endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.IPA list of endpoint IP addresses.string
IP.AddressThe IP address.string
IP.InRangeIs the IP in the input ranges? (could be 'yes' or 'no).string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.string
IP.ASNThe Autonomous System (AS) number associated with the indicator.string
IP.TagsList of IP tags.string
IP.ThreatTypesThreat types associated with the IP.string
IP.Geo.CountryThe country associated with the indicator.string
IP.Geo.LocationThe longitude and latitude of the IP address.string
IP.Malicious.VendorThe vendor that reported the indicator as malicious.string
IP.Malicious.DescriptionFor malicious IPs, the reason that the vendor made the decision.string
IP.VirusTotal.DownloadedHashesLatest files that are detected by at least one antivirus solution and were downloaded by VirusTotal from the IP address.string
IP.VirusTotal.UnAVDetectedDownloadedHashesLatest files that are not detected by any antivirus solution and were downloaded by VirusTotal from the IP address provided.string
IP.VirusTotal.DetectedURLsLatest URLs hosted in this IP address detected by at least one URL scanner.string
IP.VirusTotal.CommunicatingHashesLatest detected files that communicate with this IP address.string
IP.VirusTotal.UnAVDetectedCommunicatingHashesLatest undetected files that communicate with this IP address.string
IP.VirusTotal.Resolutions.hostnameThe following domains resolved to the given IP.string
IP.VirusTotal.ReferrerHashesLatest detected files that embed this IP address in their strings.string
IP.VirusTotal.UnAVDetectedReferrerHashesLatest undetected files that embed this IP address in their strings.string
IP.VirusTotal.Resolutions.last_resolvedThe last time the following domains resolved to the given IP.string

Playbook Image#


IP Enrichment - External - Generic v2