Skip to main content

IP Enrichment - External - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Enrich IP addresses using one or more integrations.

  • Resolve IP addresses to hostnames (DNS).
  • Provide threat information.
  • Separate internal and external addresses.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • VirusTotal - Private API


  • IsIPInRanges
  • IPToHost


  • ip
  • threat-crowd-ip
  • vt-private-get-ip-report

Playbook Inputs#

NameDescriptionDefault ValueRequired
IPThe IP address to enrich.IP.AddressOptional
InternalRangeA CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: ",," (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).,,
ResolveIPWhether to convert the IP address to a hostname using a DNS query (True/False).TrueRequired
UseReputationCommandDefine if you would like to use the !IP command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.

Playbook Outputs#

IPThe IP address objects.unknown
DBotScoreIndicator, Score, Type, and Vendor.unknown
EndpointThe endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSEndpoint operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainEndpoint domain name.string

Playbook Image#

IP Enrichment - External - Generic v2