This playbook is responsible for collecting data from Cortex XDR detector and enriching data for further usage and building the layout.
The playbook collects or enriches the following data:
- Resource enrichment
- Previous activity seen in the specified region or project
- Account enrichment
- Network enrichment
- Attacker IP
- Geolocation
- ASN
This playbook uses the following sub-playbooks, integrations, and scripts.
- IP Enrichment - Generic v2
- Account Enrichment - Generic v2.1
- Whois
- If-Then-Else
- Set
- CopyContextToField
- IsInCidrRanges
- setIncident
- ip
| Name | Description | Default Value | Required |
|---|---|---|---|
| ResolveIP | Determines whether to convert the IP address to a hostname using a DNS query (True/ False). | True | Optional |
| InternalRange | A list of internal IP ranges to check IP addresses against. \nFor IP Enrichment - Generic v2 playbook. | Optional |
| Path | Description | Type |
|---|---|---|
| IP | The IP objects | unknown |
| DBotScore | Indicator, Score, Type, Vendor | unknown |
| Account | The account object. | unknown |
| IAM | Generic IAM output. | unknown |
| ASNType | Checks for cloud ASNs. | unknown |
| isKnownRegion | Checks if any recent activity was seen in the region. | unknown |
| isKnownProject | Checks if any recent activity was seen in the project. | unknown |
| resourceCount | Involved resource count. | unknown |
| uniqueRegionCount | Involved region distinct count. | unknown |
