Skip to main content

IP Whitelist And Exclusion - RiskIQ Digital Footprint

This Playbook is part of the RiskIQ Digital Footprint Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Adds the IP Address(es) to allow list after checking if it should be added to allow list according to the user inputs provided. This playbook also adds these IP Address indicators to the exclusion list and tags it with the "RiskIQ Whitelisted IP Address" tag.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Allow IP - Okta Zone
  • IP Whitelist - GCP Firewall
  • Check IP Address For Whitelisting - RiskIQ Digital Footprint
  • IP Whitelist - AWS Security Group


This playbook does not use any integrations.


  • ParseCSV
  • GetServerURL
  • ExportToCSV
  • DeleteContext


  • send-mail
  • excludeIndicators
  • setIndicators

Playbook Inputs#

NameDescriptionDefault ValueRequired
ip_addressThe list of IP Address(es) to be added to allow list and excluded.Required
InternalRangeA list of IP ranges to check if the IP Address is in that range to add to allow list. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: ",," (without quotes). If a list is not provided, will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).Optional
auto_whitelist_ip_addressAutomatically add to allow list the IP Address(es). You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'RiskIQ Auto Whitelist IP Address'.incident.riskiqautowhitelistipaddressOptional
auto_exclude_whitelisted_ip_addressAutomatically add the IP Address(es) on allow list to the exclusion list. You can set this as 'Yes' or 'No' manually here or you can set it into a custom incident field 'RiskIQ Auto Exclude Whitelisted IP Address'.incident.riskiqautoexcludewhitelistedipaddressOptional
support_contactThe contact email address of the support team from which manual inputs should be fetched.incident.riskiqsupportcontactOptional
aws_security_group_nameName of the AWS Security Group to update the allow listed IPs.incident.riskiqassetawssecuritygroupnameOptional
gcp_firewall_nameName of the GCP Firewall where the playbook should set the allow listed IPs.incident.riskiqassetgcpfirewallnameOptional
okta_zone_idID of the Okta Zone to update the allow listed IPs. Use !okta-list-zones to obtain the available zones.incident.riskiqassetoktazoneidOptional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

IP Whitelist And Exclusion - RiskIQ Digital Footprint