IP Enrichment - External - RST Threat Feed
This Playbook is part of the RST Threat Feed Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
Enrich IP addresses using one or more integrations.
- Resolve IP addresses to hostnames (DNS)
- Provide threat information
- Separate internal and external addresses
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
This playbook does not use any sub-playbooks.
Integrations#
- RST Cloud - Threat Feed API
Scripts#
- IsIPInRanges
- IPToHost
Commands#
- ip
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| IP | The IP address to enrich. | IP.Address | Required |
| InternalRange | A CSV list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use default list provided in the IsIPInRanges script (the known IPv4 private address ranges). | inputs.InternalRange | Optional |
| ResolveIP | Whether to convert the IP address to a hostname using a DNS query (True/False). | inputs.ResolveIP | Required |
| threshold | Defines the minimum score to set indicators as malicious | inputs.threshold | Optional |
Playbook Outputs#
| Path | Description | Type |
|---|---|---|
| IP | The IP address objects. | unknown |
| DBotScore | Indicator, Score, Type, and Vendor. | unknown |
| Endpoint | The endpoint's object. | unknown |
| Endpoint.Hostname | The hostname to enrich. | string |
| Endpoint.OS | Endpoint operating system. | string |
| Endpoint.IP | A list of endpoint IP addresses. | unknown |
| Endpoint.MAC | A list of endpoint MAC addresses. | unknown |
| Endpoint.Domain | Endpoint domain name. | string |