Skip to main content

XCloud Alert Enrichment

This Playbook is part of the Cloud Incident Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook is responsible for data collection and enrichment.

The playbook collects or enriches the following data:

  • Account enrichment
  • Network enrichment

    -Attacker IP

    -Geolocation

    -ASN

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Account Enrichment - Generic v2.1
  • IP Enrichment - Generic v2

Integrations#

  • CoreIOCs
  • CortexCoreIR

Scripts#

  • IsInCidrRanges
  • Set

Commands#

  • ip

Playbook Inputs#


NameDescriptionDefault ValueRequired
ResolveIPDetermines whether to convert the IP address to a hostname using a DNS query (True/ False).TrueOptional
InternalRangeA list of internal IP ranges to check IP addresses against.
For IP Enrichment - Generic v2 playbook.
Optional

Playbook Outputs#


PathDescriptionType
IPThe IP objectsunknown
DBotScoreIndicator, Score, Type, Vendorunknown
AccountThe account object.unknown
IAMGeneric IAM output.unknown
UserManagerEmailThe email of the user's manager.unknown
UserManagerDisplayNameThe display name of the user's manager.unknown
MSGraphUserThe MSGraphUser object.unknown
MSGraphUserManager.ManagerThe MSGrMSGraphUserManageraph Manager object.unknown
SailPointIdentityNowThe SailPointIdentityNow object.unknown
SailPointIdentityNow.AccountThe IdentityNow account object.unknown
IdentityIQThe IdentityIQ object.unknown
ActiveDirectory.UsersThe ActiveDirectory Users object.unknown

Playbook Image#


XCloud Alert Enrichment