Skip to main content

IP Enrichment - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Enrich IP addresses using one or more integrations.

  • Resolve IP addresses to hostnames (DNS)
  • Provide threat information
  • Determine IP address reputation using the !ip command
  • Separate internal and external IP addresses
  • For internal IP addresses, get host information.

When executing this playbook through IP Enrichment - Generic v2, IP classification and resolution will be handled by the main playbook, improving performance.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • IP Enrichment - External - Generic v2
  • IP Enrichment - Internal - Generic v2

Integrations#

This playbook does not use any integrations.

Scripts#

  • IPToHost
  • IsIPInRanges

Commands#

This playbook does not use any commands.

Playbook Inputs#


NameDescriptionDefault ValueRequired
IPThe IP address to enrich.IP.AddressOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).lists.PrivateIPsOptional
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).
The default value is true.
FalseRequired
UseReputationCommandDefine if you would like to use the !IP command.
Note: This input should be used whenever there is no auto-extract enabled in the investigation flow.
Possible values: True / False.
The default value is false.
FalseRequired
extended_dataDefine whether you want the generic reputation command to return extended data (last_analysis_results).
Possible values: True / False.
The default value is false.
FalseOptional
threat_model_associationDefine whether you wish to enhance generic reputation command to include additional information such as Threat Bulletins, Attack patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed.
Possible values: True / False.
The default value is false.
FalseOptional
ExecutedFromParentWhether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks.
Possible values are: True, False.

Setting this to True will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks.

Set this to True in the parent playbook if you are using the parent playbook, as opposed to using the sub-playbooks directly in your playbooks, as this will improve the performance of the playbook and reduce the overfall size of the incident.
TrueOptional

Playbook Outputs#


PathDescriptionType
IPThe IP objects.unknown
DBotScoreIndicator, Score, Type, Vendor.unknown
EndpointThe endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSEndpoint OS.string
Endpoint.IPList of endpoint IP addresses.string
Endpoint.MACList of endpoint MAC addresses.string
Endpoint.DomainEndpoint domain name.string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe indicator type.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.string
IP.ASNThe Autonomous System (AS) number associated with the indicator.string
IP.TagsList of IP tags.string
IP.ThreatTypesThreat types associated with the IP.string
IP.Geo.CountryThe country associated with the indicator.string
IP.Geo.LocationThe longitude and latitude of the IP address.string
IP.Malicious.VendorThe vendor that reported the indicator as malicious.string
IP.Malicious.DescriptionFor malicious IPs, the reason that the vendor made the decision.string
IP.VirusTotal.DownloadedHashesLatest files that are detected by at least one antivirus solution and were downloaded by VirusTotal from the IP address.string
IP.VirusTotal.UnAVDetectedDownloadedHashesLatest files that are not detected by any antivirus solution and were downloaded by VirusTotal from the IP address provided.string
IP.VirusTotal.DetectedURLsLatest URLs hosted in this IP address detected by at least one URL scanner.string
IP.VirusTotal.CommunicatingHashesLatest detected files that communicate with this IP address.string
IP.VirusTotal.UnAVDetectedCommunicatingHashesLatest undetected files that communicate with this IP address.string
IP.VirusTotal.Resolutions.hostnameThe following domains resolved to the given IP.string
IP.VirusTotal.ReferrerHashesLatest detected files that embed this IP address in their strings.string
IP.VirusTotal.UnAVDetectedReferrerHashesLatest undetected files that embed this IP address in their strings.string
IP.VirusTotal.Resolutions.last_resolvedThe last time the following domains resolved to the given IP.string
IP.AddressThe IP address.string
IP.InRangeIs the IP in the input ranges? (could be 'yes' or 'no).string
Endpoint.IDThe endpoint ID.string
Endpoint.StatusThe endpoint status.string
Endpoint.IsIsolatedThe endpoint isolation status.string
Endpoint.MACAddressThe endpoint MAC address.string
Endpoint.VendorThe integration name of the endpoint vendor.string
Endpoint.RelationshipsThe endpoint relationships of the endpoint that was enriched.string
Endpoint.ProcessorThe model of the processor.string
Endpoint.ProcessorsThe number of processors.string
Endpoint.MemoryMemory on this endpoint.string
Endpoint.ModelThe model of the machine or device.string
Endpoint.BIOSVersionThe endpoint's BIOS version.string
Endpoint.OSVersionThe endpoint's operation system version.string
Endpoint.DHCPServerThe DHCP server of the endpoint.string
Endpoint.GroupsGroups for which the computer is listed as a member.string
ExtraHop.Device.MacaddrThe MAC Address of the device.string
ExtraHop.Device.DeviceClassThe class of the device.string
ExtraHop.Device.UserModTimeThe time of the most recent update, expressed in milliseconds since the epoch.number
ExtraHop.Device.AutoRoleThe role automatically detected by the ExtraHop.string
ExtraHop.Device.ParentIdThe ID of the parent device.number
ExtraHop.Device.VendorThe device vendor.string
ExtraHop.Device.AnalysisThe level of analysis preformed on the device.string
ExtraHop.Device.DiscoveryIdThe UUID given by the Discover appliance.string
ExtraHop.Device.DefaultNameThe default name of the device.string
ExtraHop.Device.DisplayNameThe display name of device.string
ExtraHop.Device.OnWatchlistWhether the device is on the advanced analysis allow list.boolean
ExtraHop.Device.ModTimeThe time of the most recent update, expressed in milliseconds since the epoch.number
ExtraHop.Device.IsL3Indicates whether the device is a Layer 3 device.boolean
ExtraHop.Device.RoleThe role of the device.string
ExtraHop.Device.DiscoverTimeThe time that the device was discovered.number
ExtraHop.Device.IdThe ID of the device.string
ExtraHop.Device.Ipaddr4The IPv4 address of the device.string
ExtraHop.Device.VlanidThe ID of VLan.string
ExtraHop.Device.Ipaddr6The IPv6 address of the device.string
ExtraHop.Device.NodeIdThe Node ID of the Discover appliance.string
ExtraHop.Device.DescriptionA user customizable description of the device.string
ExtraHop.Device.DnsNameThe DNS name associated with the device.string
ExtraHop.Device.DhcpNameThe DHCP name associated with the device.string
ExtraHop.Device.CdpNameThe Cisco Discovery Protocol name associated with the device.string
ExtraHop.Device.NetbiosNameThe NetBIOS name associated with the device.string
ExtraHop.Device.UrlLink to the device details page in ExtraHop.string
McAfee.ePO.EndpointThe endpoint that was enriched.string
ActiveDirectory.ComputersPageCookieAn opaque string received in a paged search, used for requesting subsequent entries.string
ActiveDirectory.ComputersThe information about the hostname that was enriched using Active Directory.string
ActiveDirectory.Computers.dnThe computer distinguished name.string
ActiveDirectory.Computers.memberOfGroups for which the computer is listed.string
ActiveDirectory.Computers.nameThe computer name.string
CrowdStrike.DeviceThe information about the endpoint.string
CarbonBlackEDR.Sensor.systemvolume_total_sizeThe size, in bytes, of the system volume of the endpoint on which the sensor is installed. installed.number
CarbonBlackEDR.Sensor.emet_telemetry_pathThe path of the EMET telemetry associated with the sensor.string
CarbonBlackEDR.Sensor.os_environment_display_stringHuman-readable string of the installed OS.string
CarbonBlackEDR.Sensor.emet_versionThe EMET version associated with the sensor.string
CarbonBlackEDR.Sensor.emet_dump_flagsThe flags of the EMET dump associated with the sensor.string
CarbonBlackEDR.Sensor.clock_deltaThe clock delta associated with the sensor.string
CarbonBlackEDR.Sensor.supports_cblrWhether the sensor supports Carbon Black Live Response (CbLR).string
CarbonBlackEDR.Sensor.sensor_uptimeThe uptime of the process.string
CarbonBlackEDR.Sensor.last_updateWhen the sensor was last updated.string
CarbonBlackEDR.Sensor.physical_memory_sizeThe size in bytes of physical memory.number
CarbonBlackEDR.Sensor.build_idThe sensor version installed on this endpoint. From the /api/builds/ endpoint.string
CarbonBlackEDR.Sensor.uptimeEndpoint uptime in seconds.string
CarbonBlackEDR.Sensor.is_isolatingBoolean representing sensor-reported isolation status.boolean
CarbonBlackEDR.Sensor.event_log_flush_timeIf event_log_flush_time is set, the server will instruct the sensor to immediately
send all data before this date, ignoring all other throttling mechanisms.
To force a host current, set this value to a value far in the future.
When the sensor has finished sending its queued data, this value will be null.
string
CarbonBlackEDR.Sensor.computer_dns_nameThe DNS name of the endpoint on which the sensor is installed.string
CarbonBlackEDR.Sensor.emet_report_settingThe report setting of the EMET associated with the sensor.string
CarbonBlackEDR.Sensor.idThe ID of this sensor.string
CarbonBlackEDR.Sensor.emet_process_countThe number of EMET processes associated with the sensor.string
CarbonBlackEDR.Sensor.emet_is_gpoWhether the EMET is a GPO.string
CarbonBlackEDR.Sensor.power_stateThe sensor power state.string
CarbonBlackEDR.Sensor.network_isolation_enabledBoolean representing the network isolation request status.boolean
CarbonBlackEDR.Sensor.systemvolume_free_sizeThe amount of free bytes on the system volume.string
CarbonBlackEDR.Sensor.statusThe sensor status.string
CarbonBlackEDR.Sensor.num_eventlog_bytesThe number of event log bytes.number
CarbonBlackEDR.Sensor.sensor_health_messageHuman-readable string indicating the sensor’s self-reported status.string
CarbonBlackEDR.Sensor.build_version_stringHuman-readable string of the sensor version.string
CarbonBlackEDR.Sensor.computer_sidMachine SID of this host.string
CarbonBlackEDR.Sensor.next_checkin_timeNext expected communication from this computer in server-local time and zone.string
CarbonBlackEDR.Sensor.node_idThe node ID associated with the sensor.string
CarbonBlackEDR.Sensor.cookieThe cookie associated with the sensor.string
CarbonBlackEDR.Sensor.emet_exploit_actionThe EMET exploit action associated with the sensor.string
CarbonBlackEDR.Sensor.computer_nameNetBIOS name of this computer.string
CarbonBlackEDR.Sensor.license_expirationWhen the license of the sensor expires.string
CarbonBlackEDR.Sensor.supports_isolationWhether the sensor supports isolation.string
CarbonBlackEDR.Sensor.parity_host_idThe ID of the parity host associated with the sensor.string
CarbonBlackEDR.Sensor.supports_2nd_gen_modloadsWhether the sensor support modload of 2nd generation.string
CarbonBlackEDR.Sensor.network_adaptersA pipe-delimited list of IP,MAC pairs for each network interface.string
CarbonBlackEDR.Sensor.sensor_health_statusSelf-reported health score, from 0 to 100. Higher numbers indicate a better health status.number
CarbonBlackEDR.Sensor.registration_timeTime this sensor was originally registered in server-local time and zone.string
CarbonBlackEDR.Sensor.restart_queuedWhether a restart of the sensor is queued.string
CarbonBlackEDR.Sensor.notesThe notes associated with the sensor.string
CarbonBlackEDR.Sensor.num_storefiles_bytesNumber of storefiles bytes associated with the sensor.number
CarbonBlackEDR.Sensor.os_environment_idThe ID of the OS environment of the sensor.string
CarbonBlackEDR.Sensor.shard_idThe ID of the shard associated with the sensor.string
CarbonBlackEDR.Sensor.boot_idA sequential counter of boots since the sensor was installed.string
CarbonBlackEDR.Sensor.last_checkin_timeLast communication with this computer in server-local time and zone.string
CarbonBlackEDR.Sensor.os_typeThe operating system type of the computer.string
CarbonBlackEDR.Sensor.group_idThe sensor group ID this sensor is assigned to.string
CarbonBlackEDR.Sensor.uninstallWhen set, indicates that the sensor will be directed to uninstall on next check-in.string
PaloAltoNetworksXDR.Endpoint.endpoint_idThe endpoint ID.string
PaloAltoNetworksXDR.Endpoint.endpoint_nameThe endpoint name.string
PaloAltoNetworksXDR.Endpoint.endpoint_typeThe endpoint type.string
PaloAltoNetworksXDR.Endpoint.endpoint_statusThe status of the endpoint.string
PaloAltoNetworksXDR.Endpoint.os_typeThe endpoint OS type.string
PaloAltoNetworksXDR.Endpoint.ipA list of IP addresses.string
PaloAltoNetworksXDR.Endpoint.usersA list of users.string
PaloAltoNetworksXDR.Endpoint.domainThe endpoint domain.string
PaloAltoNetworksXDR.Endpoint.aliasThe endpoint's aliases.string
PaloAltoNetworksXDR.Endpoint.first_seenFirst seen date/time in Epoch (milliseconds).string
PaloAltoNetworksXDR.Endpoint.last_seenLast seen date/time in Epoch (milliseconds).string
PaloAltoNetworksXDR.Endpoint.content_versionContent version.string
PaloAltoNetworksXDR.Endpoint.installation_packageInstallation package.string
PaloAltoNetworksXDR.Endpoint.active_directoryActive directory.string
PaloAltoNetworksXDR.Endpoint.install_dateInstall date in Epoch (milliseconds).date
PaloAltoNetworksXDR.Endpoint.endpoint_versionEndpoint version.string
PaloAltoNetworksXDR.Endpoint.is_isolatedWhether the endpoint is isolated.string
PaloAltoNetworksXDR.Endpoint.group_nameThe name of the group to which the endpoint belongs.string
PaloAltoNetworksXDR.Endpoint.countNumber of endpoints returned.number
Account.UsernameThe username in the relevant system.string
Account.DomainThe domain of the account.string
PaloAltoNetworksXDR.RiskyHost.typeForm of identification element.string
PaloAltoNetworksXDR.RiskyHost.idIdentification value of the type field.string
PaloAltoNetworksXDR.RiskyHost.scoreThe score assigned to the host.string
PaloAltoNetworksXDR.RiskyHost.reasonsThe endpoint risk objects.string
PaloAltoNetworksXDR.RiskyHost.reasons.date createdDate when the incident was created.date
PaloAltoNetworksXDR.RiskyHost.reasons.descriptionDescription of the incident.string
PaloAltoNetworksXDR.RiskyHost.reasons.severityThe severity of the incident.string
PaloAltoNetworksXDR.RiskyHost.reasons.statusThe incident status.string
PaloAltoNetworksXDR.RiskyHost.reasons.pointsThe score.string
Core.Endpoint.endpoint_idThe endpoint ID.string
Core.Endpoint.endpoint_nameThe endpoint name.string
Core.Endpoint.endpoint_typeThe endpoint type.string
Core.Endpoint.endpoint_statusThe status of the endpoint.string
Core.Endpoint.os_typeThe endpoint OS type.string
Core.Endpoint.ipA list of IP addresses.string
Core.Endpoint.usersA list of users.string
Core.Endpoint.domainThe endpoint domain.string
Core.Endpoint.aliasThe endpoint's aliases.string
Core.Endpoint.first_seenFirst seen date/time in Epoch (milliseconds).string
Core.Endpoint.last_seenLast seen date/time in Epoch (milliseconds).string
Core.Endpoint.content_versionContent version.string
Core.Endpoint.installation_packageInstallation package.string
Core.Endpoint.active_directoryActive directory.string
Core.Endpoint.install_dateInstall date in Epoch (milliseconds).date
Core.Endpoint.endpoint_versionEndpoint version.string
Core.Endpoint.is_isolatedWhether the endpoint is isolated.string
Core.Endpoint.group_nameThe name of the group to which the endpoint belongs.string
Core.RiskyHost.typeForm of identification element.string
Core.RiskyHost.idIdentification value of the type field.string
Core.RiskyHost.scoreThe score assigned to the host.string
Core.RiskyHost.reasonsThe reasons for the risk level.string
Core.RiskyHost.reasons.date createdDate when the incident was created.date
Core.RiskyHost.reasons.descriptionDescription of the incident.string
Core.RiskyHost.reasons.severityThe severity of the incident.string
Core.RiskyHost.reasons.statusThe incident status.string
Core.RiskyHost.reasons.pointsThe score.string

Playbook Image#


IP Enrichment - Generic v2