Skip to main content

IP Enrichment - External - RST Threat Feed

This Playbook is part of the RST Threat Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Enrich IP addresses using one or more integrations.

  • Resolve IP addresses to hostnames (DNS)
  • Provide threat information
  • Separate internal and external addresses

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

  • RST Cloud - Threat Feed API

Scripts#

  • IsIPInRanges
  • IPToHost

Commands#

  • ip

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPThe IP address to enrich.IP.AddressRequired
InternalRangeA CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges).inputs.InternalRangeOptional
ResolveIPWhether to convert the IP address to a hostname using a DNS query (True/False).inputs.ResolveIP.NoneRequired
thresholdDefines the minimum score to set indicators as maliciousinputs.thresholdOptional

Playbook Outputs#


PathDescriptionType
IPThe IP address objects.unknown
DBotScoreIndicator, Score, Type, and Vendor.unknown
EndpointThe endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSEndpoint operating system.string
Endpoint.IPA list of endpoint IP addresses.unknown
Endpoint.MACA list of endpoint MAC addresses.unknown
Endpoint.DomainEndpoint domain name.string