This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout.
The playbook collects or enriches the following data:
- Resource enrichment
- Previous activity seen in the specified region or project
- Account enrichment
- Network enrichment
- Attacker IP
- Geolocation
- ASN
This playbook uses the following sub-playbooks, integrations, and scripts.
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Whois
- If-Then-Else
- Set
- CopyContextToField
- IsInCidrRanges
- setIncident
- ip
Name | Description | Default Value | Required |
---|---|---|---|
ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query (True/ False). | True | Optional |
InternalRange | A list of internal IP ranges to check IP addresses against. \nFor IP Enrichment - Generic v2 playbook. | Optional |
Path | Description | Type |
---|---|---|
IP | The IP objects | unknown |
DBotScore | Indicator, Score, Type, Vendor | unknown |
Account | The account object. | unknown |
IAM | Generic IAM output. | unknown |
ASNType | Checks for cloud ASNs. | unknown |
isKnownRegion | Checks if any recent activity was seen in the region. | unknown |
isKnownProject | Checks if any recent activity was seen in the project. | unknown |
resourceCount | Involved resource count. | unknown |
uniqueRegionCount | Involved region distinct count. | unknown |