Account Enrichment - Generic v2.1
Enrich accounts using one or more integrations. Supported integrations: - Active Directory - Microsoft Graph User - SailPoint IdentityNow - SailPoint IdentityIQ - PingOne - Okta - AWS IAM - Cortex XDR (account enrichment and reputation) Also, the playbook supports the generic command 'iam-get-user' (implemented in IAM integrations). For more information, visit https://xsoar.pan.dev/docs/integrations/iam-integrations.
Common Playbooks · 39 tasks · 2 inputs · 145 outputs
Inputs
Username— The usernames to enrich. This input supports multiple usernames. Usernames can be with or without a domain prefix, in the format of "username" or "domain\username". Domain usernames will only be enriched in integrations that support them.Domain— Optional - This input is needed for the IAM-get-user command (used in the Account Enrichment - IAM playbook). Please provide the domain name that the user is related to. Example: @xsoar.com
Outputs
Account— The account object.ActiveDirectory.Users.sAMAccountName— The user's SAM account name.ActiveDirectory.Users.userAccountControl— The user's account control flag.ActiveDirectory.Users.mail— The user's email address.ActiveDirectory.Users.memberOf— Groups the user is a member of.IAM— Generic IAM output.IdentityIQ.Identity— Identity asset from IdentityIQ.PingOne.Account— Account in PingID.ActiveDirectory.Users.manager— The manager of the user.IAM.Vendor.active— When true, indicates that the employee's status is active in the 3rd-party integration.IAM.Vendor.brand— Name of the integration.IAM.Vendor.details— Provides the raw data from the 3rd-party integration.IAM.Vendor.email— The employee's email address.IAM.Vendor.errorCode— HTTP error response code.IAM.Vendor.errorMessage— Reason why the API failed.IAM.Vendor.id— The employee's user ID in the app.IAM.Vendor.instanceName— Name of the integration instance.IAM.Vendor.success— When true, indicates that the command was executed successfully.IAM.Vendor.username— The employee's username in the app.IdentityIQ.Identity.userName— The IdentityIQ username (primary ID).IdentityIQ.Identity.id— The IdentityIQ internal ID (UUID).IdentityIQ.Identity.active— Indicates whether the ID is active or inactive in IdentityIQ.IdentityIQ.Identity.lastModified— Timestamp of when the identity was last modified.IdentityIQ.Identity.displayName— The display name of the identity.IdentityIQ.Identity.emails— Array of email objects.IdentityIQ.Identity.entitlements— Array of entitlement objects that the identity has.IdentityIQ.Identity.roles— Array of role objects that the identity has.IdentityIQ.Identity.capabilities— Array of string representations of the IdentityIQ capabilities assigned to this identity.IdentityIQ.Identity.name— Account name.IdentityIQ.Identity.name.formatted— The display name of the identity.IdentityIQ.Identity.name.familyName— The last name of the identity.IdentityIQ.Identity.name.givenName— The first name of the identity.IdentityIQ.Identity.manager— The account's manager returned from IdentityIQ.IdentityIQ.Identity.manager.userName— The IdentityIQ username (primary ID) of the identity's manager.IdentityIQ.Identity.emails.type— Type of the email being returned.IdentityIQ.Identity.emails.value— The email address of the identity.IdentityIQ.Identity.emails.primary— Indicates if this email address is the identity's primary email.PingOne.Account.ID— PingOne account ID.PingOne.Account.Username— PingOne account username.PingOne.Account.DisplayName— PingOne account display name.PingOne.Account.Email— PingOne account email.PingOne.Account.Enabled— PingOne account enabled status.PingOne.Account.CreatedAt— PingOne account create date.PingOne.Account.UpdatedAt— PingOne account updated date.Account.PasswordChanged— Timestamp for when the user's password was last changed.Account.StatusChanged— Timestamp for when the user's status was last changed.Account.Activated— Timestamp for when the user was activated.Account.Created— Timestamp for when the user was created.Account.Status— Okta account status.Account.Username— The user SAM account name.Account.Email— The user email address.Account.ID— The user distinguished name.ActiveDirectory.Users.dn— The user distinguished name.ActiveDirectory.Users.displayName— The user display name.ActiveDirectory.Users.name— The user common name.ActiveDirectory.Users.userAccountControlFields— The user account control fields.ActiveDirectory.Users.userAccountControlFields.SCRIPT— Whether the login script is run. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE— Whether the user account is disabled. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED— Whether the home folder is required. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.LOCKOUT— Whether the user is locked out. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD— Whether the password is required. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE— Whether the user can change the password. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED— Whether the user can send an encrypted password. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT— Whether this is an account for users whose primary account is in another domain. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT— Whether this is a default account type that represents a typical user. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT— Whether the account is permitted to trust a system domain that trusts other domains. Works for *Windows Server 2012 R2*.ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT— Whether this is a computer account for a computer running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.Account.Manager— The user manager.Account.Groups— Groups for which the user is a member.Account.DisplayName— The user display name.ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT— Whether the account is a read-only domain controller (RODC).ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION— Whether the account is enabled for delegation.ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH— Whether this account require Kerberos pre-authentication for logging on.ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY— Whether to restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED— Whether the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION— Whether the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED— Whether to force the user to log in by using a smart card.ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT— Whether this is an MNS login account.ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT— Whether this is a computer account for a domain controller that is a member of this domain. Works for *Windows Server 2012 R2*.IAM.Vendor— The returning results vendor.IAM.Vendor.action— The command name.IAM.UserProfile— The user profile.SailPointIdentityNow.Account— The IdentityNow account object.SailPointIdentityNow.Account.id— The IdentityNow internal ID (UUID).SailPointIdentityNow.Account.name— Name of the identity on this account.SailPointIdentityNow.Account.identityId— The IdentityNow internal identity ID.SailPointIdentityNow.Account.nativeIdentity— The IdentityNow internal native identity ID.SailPointIdentityNow.Account.sourceId— Source ID that maps this account.SailPointIdentityNow.Account.created— Timestamp when the account was created.SailPointIdentityNow.Account.modified— Timestamp when the account was last modified.SailPointIdentityNow.Account.attributes— Map of variable number of attributes unique to this account.SailPointIdentityNow.Account.authoritative— Indicates whether the account is the true source for this identity.SailPointIdentityNow.Account.disabled— Indicates whether the account is disabled.SailPointIdentityNow.Account.locked— Indicates whether the account is locked.SailPointIdentityNow.Account.systemAccount— Indicates whether the account is a system account.SailPointIdentityNow.Account.uncorrelated— Indicates whether the account is uncorrelated.SailPointIdentityNow.Account.manuallyCorrelated— Indicates whether the account was manually correlated.SailPointIdentityNow.Account.hasEntitlements— Indicates whether the account has entitlement.UserManagerEmail— The email of the user's manager.UserManagerDisplayName— The display name of the user's manager.MSGraphUser.ID— User's ID.MSGraphUser.DisplayName— User's display name.MSGraphUser.GivenName— User's given name.MSGraphUser.JobTitle— User's job title.MSGraphUser.Mail— User's mail address.MSGraphUser.Surname— User's surname.MSGraphUser.UserPrincipalName— User's principal name.MSGraphUserManager.Manager.ID— Manager's user ID.MSGraphUserManager.Manager.DisplayName— User's display name.MSGraphUserManager.Manager.GivenName— User's given name.MSGraphUserManager.Manager.Mail— User's mail address.MSGraphUserManager.Manager.Surname— User's surname.MSGraphUserManager.Manager.UserPrincipalName— User's principal name.PaloAltoNetworksXDR.RiskyUser— The account object.PaloAltoNetworksXDR.RiskyUser.type— Form of identification element.PaloAltoNetworksXDR.RiskyUser.id— Identification value of the type field.PaloAltoNetworksXDR.RiskyUser.score— The score assigned to the user.PaloAltoNetworksXDR.RiskyUser.reasons— The account risk objects.PaloAltoNetworksXDR.RiskyUser.reasons.date created— Date when the incident was created.PaloAltoNetworksXDR.RiskyUser.reasons.description— Description of the incident.PaloAltoNetworksXDR.RiskyUser.reasons.severity— The severity of the incidentPaloAltoNetworksXDR.RiskyUser.reasons.status— The incident statusPaloAltoNetworksXDR.RiskyUser.reasons.points— The score.ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD— Whether to never expire the password on the account.ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED— Whether the user password expired.Account.ManagerEmail— The manager email.AWS.IAM.Users— AWS IAM output.AWS.IAM.Users.UserName— The friendly name identifying the user.AWS.IAM.Users.UserId— The stable and unique string identifying the user.AWS.IAM.Users.Arn— The Amazon Resource Name (ARN) that identifies the user.AWS.IAM.Users.CreateDate— The date and time when the user was created.AWS.IAM.Users.Path— The path to the user.AWS.IAM.Users.PasswordLastUsed— The date and time, when the user's password was last used to sign in to an AWS website.MSGraphUser.MobilePhone— User's mobile phone number.MSGraphUser.OfficeLocation— User's office location.Account.JobTitle— User’s job title.Account.TelephoneNumber— User’s mobile phone number.Account.Office— User’s office location.Account.Type— The account entity type.Account.Email.Address— User’s mail address.MSGraphUserManager.Manager.BusinessPhones— User's business phone numbers.MSGraphUser.BusinessPhones— User's business phone numbers.MSGraphUserManager.Manager.JobTitle— User's job title.MSGraphUserManager.Manager.MobilePhone— User's mobile phone number.MSGraphUserManager.Manager.OfficeLocation— User's office location.
Commands used
ad-get-user
aws-iam-get-user
iam-get-user
identityiq-search-identities
identitynow-get-accounts
msgraph-user-get
msgraph-user-get-manager
okta-get-user
pingone-get-user
xdr-list-risky-users