Skip to main content

ip-enrichment

This Script is part of the Aggregated Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This script gathers IP reputation data from multiple integrations and returns an IP entity with consolidated information in the context.

Script Data#


NameDescription
Script Typepython3
Tagsbasescript
Cortex XSOAR Version6.10.0

Inputs#


Argument NameDescription
ip_listA comma-separated list of IPs to enrich.
external_enrichmentWhether to call external integrations for enrichment: - 'true': enrich using enabled external integrations (e.g., VirusTotal (API v3), AlienVault OTX v2) and run internal commands. - 'false': use only existing TIM data and run internal commands; skip external integrations. If the 'brands' argument is provided, this flag is ignored and enrichment/internal commands will run only on the brands provided.
verboseRetrieve a human-readable entry for each command; if false, only the final result is summarized and errors are suppressed.
brandsA list of integration brands to run enrichment against.
Example: `"VirusTotal (API v3), AlienVault OTX v2"`.
- If provided, only the selected brands are used.
- If left empty, the script runs enrichment on all enabled integrations,
depending on the `external_enrichment` flag.
- In order to run get-endpoint-data add Core to the brands list.
- In order to run core-get-IP-analytics-prevalence, add Cortex Core - IR to the brands list.
To see the available brands for the `ip` command, run: `!ProvidesCommand command=ip`.
additional_fieldsWhen set to true, the output includes an `AdditionalFields` object
for each of the indicator result.
`AdditionalFields` contains all fields returned by TIM or the integrations
that are not part of the standard output keys: `Address`, `DetectionEngines`,
`PositiveDetections`, `Score`, and `Brand`.
When set to false, only the standard keys are returned.

Outputs#


PathDescriptionType
IPEnrichment.ValueThe IP address.string
IPEnrichment.MaxScoreThe max score of all the indicators found.number
IPEnrichment.MaxVerdictThe max verdict of all the indicators found.string
IPEnrichment.TIMScoreThe TIM score of the IP address.number
IPEnrichment.ResultsA list of all indicators found for the IP address.array
IPEnrichment.StatusThe status of the indicator: "Manual" if the score was changed manually, "Fresh" if modified within the last week, "Stale" if modified more than a week ago, and "None" if never modified.string
IPEnrichment.ModifiedTimeThe time the indicator was last modified.Date
IPEnrichment.Results.SourceThe source of the indicator.string
IPEnrichment.Results.BrandThe brand of the indicator.string
IPEnrichment.Results.DetectionEnginesThe detection engines of the indicator.number
IPEnrichment.Results.PositiveDetectionsThe positive detections of the indicator.number
IPEnrichment.Results.ASOwnerRegistered owner of the Autonomous System announcing the IP prefix.string
IPEnrichment.Results.ScoreThe score of the indicator.number
IPEnrichment.Results.VerdictThe verdict of the indicator.string
IPEnrichment.Results.AddressThe IP address of the indicator.string
IPEnrichment.Results.AdditionalFieldsAll fields extracted from the indicator other then the main keys ("Brand", "Score", "Verdict", "DetectionEngines", "PositiveDetections", "Address").list
IPEnrichment.Results.AdditionalFields.Relationships.EntityAThe source of the relationship.string
IPEnrichment.Results.AdditionalFields.Relationships.EntityBThe destination of the relationship.string
IPEnrichment.Results.AdditionalFields.Relationships.RelationshipThe name of the relationship.string
IPEnrichment.Results.AdditionalFields.Relationships.EntityATypeThe type of the source of the relationship.string
IPEnrichment.Results.AdditionalFields.Relationships.EntityBTypeThe type of the destination of the relationship.string
IPEnrichment.Results.AdditionalFields.ASNThe autonomous system name for the IP address, for example: "AS8948".String
IPEnrichment.Results.AdditionalFields.HostnameThe hostname that is mapped to this IP address.String
IPEnrichment.Results.AdditionalFields.Geo.LocationThe geolocation where the IP address is located, in the format: latitude:longitude.String
IPEnrichment.Results.AdditionalFields.Geo.CountryThe country in which the IP address is located.String
IPEnrichment.Results.AdditionalFields.Geo.DescriptionAdditional information about the location.String
IPEnrichment.Results.AdditionalFields.Malicious.VendorThe vendor reporting the IP address as malicious.String
IPEnrichment.Results.AdditionalFields.Malicious.DescriptionA description explaining why the IP address was reported as malicious.String
IPEnrichment.Results.AdditionalFields.Tags(List) Tags of the IP.Unknown
IPEnrichment.Results.AdditionalFields.FeedRelatedIndicators.valueIndicators that are associated with the IP.String
IPEnrichment.Results.AdditionalFields.FeedRelatedIndicators.typeThe type of the indicators that are associated with the IP.String
IPEnrichment.Results.AdditionalFields.FeedRelatedIndicators.descriptionThe description of the indicators that are associated with the IP.String
IPEnrichment.Results.AdditionalFields.MalwareFamilyThe malware family associated with the IP.String
IPEnrichment.Results.AdditionalFields.Organization.NameThe organization of the IP.String
IPEnrichment.Results.AdditionalFields.Organization.TypeThe organization type of the IP.String
IPEnrichment.Results.AdditionalFields.RegionThe region in which the IP is located.String
IPEnrichment.Results.AdditionalFields.PortPorts that are associated with the IP.String
IPEnrichment.Results.AdditionalFields.InternalWhether or not the IP is internal or external.Bool
IPEnrichment.Results.AdditionalFields.UpdatedDateThe date that the IP was last updated.Date
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.NameThe name of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.AddressThe address of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.CountryThe country of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.NetworkThe network of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.PhoneThe phone number of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.Registrar.Abuse.EmailThe email address of the contact for reporting abuse.String
IPEnrichment.Results.AdditionalFields.CampaignThe campaign associated with the IP.String
IPEnrichment.Results.AdditionalFields.TrafficLightProtocolThe Traffic Light Protocol (TLP) color that is suitable for the IP.String
IPEnrichment.Results.AdditionalFields.CommunityNotes.noteNotes on the IP that were given by the community.String
IPEnrichment.Results.AdditionalFields.CommunityNotes.timestampThe time in which the note was published.Date
IPEnrichment.Results.AdditionalFields.Publications.sourceThe source in which the article was published.String
IPEnrichment.Results.AdditionalFields.Publications.titleThe name of the article.String
IPEnrichment.Results.AdditionalFields.Publications.linkA link to the original article.String
IPEnrichment.Results.AdditionalFields.Publications.timestampThe time in which the article was published.Date
IPEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryThe threat category associated to this indicator by the source vendor, for example, Phishing, Control, TOR, etc.String
IPEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryconfidenceThreat Category Confidence is the confidence level provided by the vendor for the threat type category. For example, a confidence level of 90 for the 'malware' threat type category means that the vendor is confident that its 90% malware.String
Core.AnalyticsPrevalence.Ip.valueWhether the IP address is prevalent or not.Boolean
Core.AnalyticsPrevalence.Ip.data.global_prevalence.valueThe global prevalence of the IP.Number
Core.AnalyticsPrevalence.Ip.data.local_prevalence.valueThe local prevalence of the IP.Number
Core.AnalyticsPrevalence.Ip.data.prevalence.valueThe prevalence of the IP.Number
EndpointData.Hostname.valueThe endpoint's hostname.String
EndpointData.Hostname.sourceThe vendor from which the hostname of this endpoint was retrieved.String
EndpointData.EntityA.valueThe source of the relationship.String
EndpointData.EntityA.sourceThe vendor from which EntityA of this endpoint was retrieved.String
EndpointData.EntityB.valueThe destination of the relationship.String
EndpointData.EntityB.sourceThe vendor from which EntityB of this endpoint was retrieved.String
EndpointData.Relationship.valueThe name of the relationship.String
EndpointData.Relationship.sourceThe vendor from which the relationship of this endpoint was retrieved.String
EndpointData.EntityAType.valueThe type of the source of the relationship.String
EndpointData.EntityAType.sourceThe vendor from which the type of the source of the relationship of this endpoint was retrieved.String
EndpointData.EntityBType.valueThe type of the destination of the relationship.String
EndpointData.EntityBType.sourceThe vendor from which the type of the destination of the relationship of this endpoint was retrieved.String
EndpointData.ID.valueThe endpoint's ID.String
EndpointData.ID.sourceThe vendor from which the ID of this endpoint was retrieved.String
EndpointData.IPAddressThe endpoint's IP address.String
EndpointData.Domain.valueThe endpoint's domain.String
EndpointData.Domain.sourceThe vendor from which the domain of this endpoint was retrieved.String
EndpointData.MACAddress.valueThe endpoint's MAC address.String
EndpointData.MACAddress.sourceThe vendor from which the MAC address of this endpoint was retrieved.String
EndpointData.DHCPServer.valueThe DHCP server of the endpoint.String
EndpointData.DHCPServer.sourceThe vendor from which the DHCP server of this endpoint was retrieved.String
EndpointData.OS.valueThe endpoint's operating system.String
EndpointData.OS.sourceThe vendor from which the operating system of this endpoint was retrieved.String
EndpointData.OSVersion.valueThe endpoint's operating system version.String
EndpointData.OSVersion.sourceThe vendor from which the operating system version of this endpoint was retrieved.String
EndpointData.BIOSVersion.valueThe endpoint's BIOS version.String
EndpointData.BIOSVersion.sourceThe vendor from which the BIOS version of this endpoint was retrieved.String
EndpointData.Model.valueThe model of the machine or device.String
EndpointData.Model.sourceThe vendor from which the model of this endpoint was retrieved.String
EndpointData.Memory.valueAmount of memory on this endpoint.Integer
EndpointData.Memory.sourceThe vendor from which the amount of memory of this endpoint was retrieved.String
EndpointData.Processors.valueThe number of processors.Integer
EndpointData.Processors.sourceThe vendor from which the processors of this endpoint was retrieved.String
EndpointData.Processor.valueThe model of the processor.String
EndpointData.Processor.sourceThe vendor from which the processor of this endpoint was retrieved.String
EndpointData.IsIsolated.valueThe endpoint's isolation status.String
EndpointData.IsIsolated.sourceThe vendor from which the isolation of this endpoint was retrieved.String
EndpointData.Status.valueThe endpoint's status.String
EndpointData.Status.sourceThe vendor from which the status of this endpoint was retrieved.String
EndpointData.Vendor.valueThe integration name of the endpoint vendor.String
EndpointData.Vendor.sourceThe vendor from which the Vendor of this endpoint was retrieved.String