Skip to main content

IP Whitelist And Exclusion - RiskIQ Digital Footprint

This Playbook is part of the RiskIQ Digital Footprint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Whitelists the IP Address(es) after checking if it should be whitelisted according to the user inputs provided. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Allow IP - Okta Zone
  • IP Whitelist - GCP Firewall
  • Check IP Address For Whitelisting - RiskIQ Digital Footprint
  • IP Whitelist - AWS Security Group

Integrations#

This playbook does not use any integrations.

Scripts#

  • ParseCSV
  • GetServerURL
  • ExportToCSV
  • DeleteContext

Commands#

  • send-mail
  • excludeIndicators
  • setIndicators

Playbook Inputs#


NameDescriptionDefault ValueRequired
ip_addressThe list of IP Address(es) to be whitelisted and excluded.Required
InternalRangeA list of IP ranges to check if the IP Address is in that range for whitelisting. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
auto_whitelist_ip_addressAutomatically whitelist the IP Address(es). You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'RiskIQ Auto Whitelist IP Address'.incident.riskiqautowhitelistipaddressOptional
auto_exclude_whitelisted_ip_addressAutomatically add the whitelisted IP Address(es) to the exclusion list. You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'RiskIQ Auto Exclude Whitelisted IP Address'.incident.riskiqautoexcludewhitelistedipaddressOptional
support_contactThe contact email address of the support team from which manual inputs should be fetched.incident.riskiqsupportcontactOptional
aws_security_group_nameName of the AWS Security Group to update the whitelisted IPs.incident.riskiqassetawssecuritygroupnameOptional
gcp_firewall_nameName of the GCP Firewall where the playbook should set the whitelisted IPs.incident.riskiqassetgcpfirewallnameOptional
okta_zone_idID of the Okta Zone to update the whitelisted IPs. Use !okta-list-zones to obtain the available zones.incident.riskiqassetoktazoneidOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


IP Whitelist And Exclusion - RiskIQ Digital Footprint