Entity Enrichment - Generic v2

Enrich entities using one or more integrations

Common Playbooks · 9 tasks · 13 inputs · 336 outputs

Inputs

  • IP — The IP addresses to enrich
  • InternalRange — A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).
  • MD5 — File MD5 to enrich
  • SHA256 — File SHA256 to enrich
  • SHA1 — File SHA1 to enrich
  • URL — URL to enrich
  • Email — The email addresses to enrich
  • Hostname — The hostname to enrich
  • Username — The Username to enrich
  • Domain — The domain name to enrich
  • ResolveIP — Determines whether the IP Enrichment - Generic playbook should convert IP addresses to hostnames using a DNS query. You can set this to either True or False.
  • InternalDomains — A CSV list of internal domains. The list will be used to determine whether an email address is internal or external.
  • UseReputationCommand — Define whether you wish to use the reputation command during the enrichment process. Note: This input should be used whenever auto-extract is not enabled in the investigation flow. The default value is false Possible values: True / False.

Outputs

  • IP — The IP object.
  • Endpoint — The endpoint object.
  • Endpoint.Hostname — The hostname that was enriched.
  • Endpoint.OS — The endpoint's operating system.
  • Endpoint.IP — A list of endpoint IP addresses.
  • Endpoint.MAC — A list of endpoint MAC addresses.
  • Endpoint.Domain — The endpoint domain name.
  • DBotScore — The DBotScore object.
  • DBotScore.Indicator — The indicator that was tested.
  • DBotScore.Type — The indicator type.
  • DBotScore.Vendor — Vendor used to calculate the score.
  • DBotScore.Score — The actual score.
  • File — The file object.
  • File.SHA1 — SHA1 hash of the file.
  • File.SHA256 — SHA256 hash of the file.
  • File.MD5 — MD5 hash of the file.
  • File.Malicious — Whether the file is malicious.
  • File.Malicious.Vendor — For malicious files, the vendor that made the decision.
  • URL — The URL object.
  • URL.Data — The enriched URL.
  • URL.Malicious — Whether the detected URL was malicious.
  • URL.Vendor — Vendor that labeled the URL as malicious.
  • URL.Description — Additional information for the URL.
  • Domain — The domain object.
  • Account — The account object.
  • Account.Email — The email of the account.
  • Account.Email.NetworkType — The email account NetworkType (Internal/External).
  • Account.Email.Distance — The object that contains the distance between the email domain and the compared domain.
  • Account.Email.Distance.Domain — The compared domain.
  • Account.Email.Distance.Value — The distance between the email domain and the compared domain.
  • ActiveDirectory.Users — An object containing information about the user from Active Directory.
  • ActiveDirectory.Users.sAMAccountName — The user's samAccountName.
  • ActiveDirectory.Users.userAccountControl — The user's account control flag.
  • ActiveDirectory.Users.mail — The user's email address.
  • ActiveDirectory.Users.memberOf — Groups the user is a member of.
  • CylanceProtectDevice — The device information about the hostname that was enriched using Cylance Protect v2.
  • File.VirusTotal.Scans — The scan object.
  • File.VirusTotal.Scans.Source — Vendor that scanned this hash.
  • File.VirusTotal.Scans.Detected — Whether a scan was detected for this hash (True/False).
  • File.VirusTotal.Scans.Result — Scan result for this hash - signature, etc.
  • IAM — Generic IAM output.
  • UserManagerEmail — The email of the user's manager.
  • UserManagerDisplayName — The display name of the user's manager.
  • ActiveDirectory.Users.manager — The manager of the user.
  • ActiveDirectory.Users.dn — The user distinguished name.
  • ActiveDirectory.Users.displayName — The user display name.
  • ActiveDirectory.Users.name — The user common name.
  • ActiveDirectory.Users.userAccountControlFields — The user account control fields.
  • IdentityIQ.Identity — Identity asset from IdentityIQ.
  • PingOne.Account — Account in PingID.
  • IAM.Vendor.active — When true, indicates that the employee's status is active in the 3rd-party integration.
  • IAM.Vendor.brand — Name of the integration.
  • IAM.Vendor.details — Provides the raw data from the 3rd-party integration.
  • IAM.Vendor.email — The employee's email address.
  • IAM.Vendor.errorCode — HTTP error response code.
  • IAM.Vendor.errorMessage — Reason why the API failed.
  • IAM.Vendor.id — The employee's user ID in the app.
  • IAM.Vendor.instanceName — Name of the integration instance.
  • IAM.Vendor.success — When true, indicates that the command was executed successfully.
  • IAM.Vendor.username — The employee's username in the app.
  • IAM.Vendor.action — The command name.
  • IdentityIQ.Identity.userName — The IdentityIQ username (primary ID).
  • IdentityIQ.Identity.id — The IdentityIQ internal ID (UUID).
  • IdentityIQ.Identity.active — Indicates whether the ID is active or inactive in IdentityIQ.
  • IdentityIQ.Identity.lastModified — Timestamp of when the identity was last modified.
  • IdentityIQ.Identity.displayName — The display name of the identity.
  • IdentityIQ.Identity.emails — Array of email objects.
  • IdentityIQ.Identity.entitlements — Array of entitlement objects that the identity has.
  • IdentityIQ.Identity.roles — Array of role objects that the identity has.
  • IdentityIQ.Identity.capabilities — Array of string representations of the IdentityIQ capabilities assigned to this identity.
  • IdentityIQ.Identity.name — Account name.
  • IdentityIQ.Identity.manager — The account's manager returned from IdentityIQ.
  • IdentityIQ.Identity.name.formatted — The display name of the identity.
  • IdentityIQ.Identity.name.familyName — The last name of the identity.
  • IdentityIQ.Identity.name.givenName — The first name of the identity.
  • IdentityIQ.Identity.manager.userName — The IdentityIQ username (primary ID) of the identity's manager.
  • IdentityIQ.Identity.emails.type — Type of the email being returned.
  • IdentityIQ.Identity.emails.value — The email address of the identity.
  • IdentityIQ.Identity.emails.primary — Indicates if this email address is the identity's primary email.
  • PingOne.Account.ID — PingOne account ID.
  • PingOne.Account.Username — PingOne account username.
  • PingOne.Account.DisplayName — PingOne account display name.
  • PingOne.Account.Email — PingOne account email.
  • PingOne.Account.Enabled — PingOne account enabled status.
  • PingOne.Account.CreatedAt — PingOne account create date.
  • PingOne.Account.UpdatedAt — PingOne account updated date.
  • Account.PasswordChanged — Timestamp for when the user's password was last changed.
  • Account.StatusChanged — Timestamp for when the user's status was last changed.
  • Account.Activated — Timestamp for when the user was activated.
  • Account.Created — Timestamp for when the user was created.
  • Account.Status — Okta account status.
  • Account.Username — The user SAM account name.
  • Account.ID — The user distinguished name.
  • Account.Manager — The user manager.
  • Account.Groups — Groups for which the user is a member.
  • Account.DisplayName — The user display name.
  • Account.ManagerEmail — The manager email.
  • Account.JobTitle — User’s job title.
  • Account.TelephoneNumber — User’s mobile phone number.
  • Account.Office — User’s office location.
  • Account.Type — The account entity type.
  • ActiveDirectory.Users.userAccountControlFields.SCRIPT — Whether the login script is run. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.ACCOUNTDISABLE — Whether the user account is disabled. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.HOMEDIR_REQUIRED — Whether the home folder is required. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.LOCKOUT — Whether the user is locked out. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.PASSWD_NOTREQD — Whether the password is required. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.PASSWD_CANT_CHANGE — Whether the user can change the password. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.ENCRYPTED_TEXT_PWD_ALLOWED — Whether the user can send an encrypted password. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.TEMP_DUPLICATE_ACCOUNT — Whether this is an account for users whose primary account is in another domain. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.NORMAL_ACCOUNT — Whether this is a default account type that represents a typical user. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.INTERDOMAIN_TRUST_ACCOUNT — Whether the account is permitted to trust a system domain that trusts other domains. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.WORKSTATION_TRUST_ACCOUNT — Whether this is a computer account for a computer running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
  • ActiveDirectory.Users.userAccountControlFields.PARTIAL_SECRETS_ACCOUNT — Whether the account is a read-only domain controller (RODC).
  • ActiveDirectory.Users.userAccountControlFields.TRUSTED_TO_AUTH_FOR_DELEGATION — Whether the account is enabled for delegation.
  • ActiveDirectory.Users.userAccountControlFields.DONT_REQ_PREAUTH — Whether this account require Kerberos pre-authentication for logging on.
  • ActiveDirectory.Users.userAccountControlFields.USE_DES_KEY_ONLY — Whether to restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
  • ActiveDirectory.Users.userAccountControlFields.NOT_DELEGATED — Whether the security context of the user isn't delegated to a service even if the service account is set as trusted for Kerberos delegation.
  • ActiveDirectory.Users.userAccountControlFields.TRUSTED_FOR_DELEGATION — Whether the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation.
  • ActiveDirectory.Users.userAccountControlFields.SMARTCARD_REQUIRED — Whether to force the user to log in by using a smart card.
  • ActiveDirectory.Users.userAccountControlFields.MNS_LOGON_ACCOUNT — Whether this is an MNS login account.
  • ActiveDirectory.Users.userAccountControlFields.SERVER_TRUST_ACCOUNT — Whether this is a computer account for a domain controller that is a member of this domain. Works for *Windows Server 2012 R2*.
  • ActiveDirectory.Users.userAccountControlFields.DONT_EXPIRE_PASSWORD — Whether to never expire the password on the account.
  • ActiveDirectory.Users.userAccountControlFields.PASSWORD_EXPIRED — Whether the user password expired.
  • IAM.Vendor — The returning results vendor.
  • IAM.UserProfile — The user profile.
  • SailPointIdentityNow.Account — The IdentityNow account object.
  • SailPointIdentityNow.Account.id — The IdentityNow internal ID (UUID).
  • SailPointIdentityNow.Account.name — Name of the identity on this account.
  • SailPointIdentityNow.Account.identityId — The IdentityNow internal identity ID.
  • SailPointIdentityNow.Account.nativeIdentity — The IdentityNow internal native identity ID.
  • SailPointIdentityNow.Account.sourceId — Source ID that maps this account.
  • SailPointIdentityNow.Account.created — Timestamp when the account was created.
  • SailPointIdentityNow.Account.modified — Timestamp when the account was last modified.
  • SailPointIdentityNow.Account.attributes — Map of variable number of attributes unique to this account.
  • SailPointIdentityNow.Account.authoritative — Indicates whether the account is the true source for this identity.
  • SailPointIdentityNow.Account.disabled — Indicates whether the account is disabled.
  • SailPointIdentityNow.Account.locked — Indicates whether the account is locked.
  • SailPointIdentityNow.Account.systemAccount — Indicates whether the account is a system account.
  • SailPointIdentityNow.Account.uncorrelated — Indicates whether the account is uncorrelated.
  • SailPointIdentityNow.Account.manuallyCorrelated — Indicates whether the account was manually correlated.
  • SailPointIdentityNow.Account.hasEntitlements — Indicates whether the account has entitlement.
  • MSGraphUser.ID — User's ID.
  • MSGraphUser.DisplayName — User's display name.
  • MSGraphUser.GivenName — User's given name.
  • MSGraphUser.JobTitle — User's job title.
  • MSGraphUser.Mail — User's mail address.
  • MSGraphUser.Surname — User's surname.
  • MSGraphUser.UserPrincipalName — User's principal name.
  • MSGraphUser.MobilePhone — User's mobile phone number.
  • MSGraphUser.OfficeLocation — User's office location.
  • MSGraphUser.BusinessPhones — User's business phone numbers.
  • MSGraphUserManager.Manager.ID — Manager's user ID.
  • MSGraphUserManager.Manager.DisplayName — User's display name.
  • MSGraphUserManager.Manager.GivenName — User's given name.
  • MSGraphUserManager.Manager.Mail — User's mail address.
  • MSGraphUserManager.Manager.Surname — User's surname.
  • MSGraphUserManager.Manager.UserPrincipalName — User's principal name.
  • MSGraphUserManager.Manager.BusinessPhones — User's business phone numbers.
  • MSGraphUserManager.Manager.JobTitle — User's job title.
  • MSGraphUserManager.Manager.MobilePhone — User's mobile phone number.
  • MSGraphUserManager.Manager.OfficeLocation — User's office location.
  • PaloAltoNetworksXDR.RiskyUser — The account object.
  • PaloAltoNetworksXDR.RiskyUser.type — Form of identification element.
  • PaloAltoNetworksXDR.RiskyUser.id — Identification value of the type field.
  • PaloAltoNetworksXDR.RiskyUser.score — The score assigned to the user.
  • PaloAltoNetworksXDR.RiskyUser.reasons — The account risk objects.
  • PaloAltoNetworksXDR.RiskyUser.reasons.date created — Date when the incident was created.
  • PaloAltoNetworksXDR.RiskyUser.reasons.description — Description of the incident.
  • PaloAltoNetworksXDR.RiskyUser.reasons.severity — The severity of the incident
  • PaloAltoNetworksXDR.RiskyUser.reasons.status — The incident status
  • PaloAltoNetworksXDR.RiskyUser.reasons.points — The score.
  • AWS.IAM.Users — AWS IAM output.
  • AWS.IAM.Users.UserName — The friendly name identifying the user.
  • AWS.IAM.Users.UserId — The stable and unique string identifying the user.
  • AWS.IAM.Users.Arn — The Amazon Resource Name (ARN) that identifies the user.
  • AWS.IAM.Users.CreateDate — The date and time when the user was created.
  • AWS.IAM.Users.Path — The path to the user.
  • AWS.IAM.Users.PasswordLastUsed — The date and time, when the user's password was last used to sign in to an AWS website.
  • Account.Email.Address — User’s mail address.
  • URL.Malicious.Vendor — For malicious URLs, the vendor that made the decision.
  • URL.Malicious.Description — For malicious URLs, the reason that the vendor made the decision.
  • DBotScore.Reliability — Reliability of the source providing the intelligence data.
  • Endpoint.IPAddress — The endpoint IP address or list of IP addresses.
  • Endpoint.ID — The endpoint ID.
  • Endpoint.Status — The endpoint status.
  • Endpoint.IsIsolated — The endpoint isolation status.
  • Endpoint.MACAddress — The endpoint MAC address.
  • Endpoint.Vendor — The integration name of the endpoint vendor.
  • Endpoint.Relationships — The endpoint relationships of the endpoint that was enriched.
  • Endpoint.Processor — The model of the processor.
  • Endpoint.Processors — The number of processors.
  • Endpoint.Memory — Memory on this endpoint.
  • Endpoint.Model — The model of the machine or device.
  • Endpoint.BIOSVersion — The endpoint's BIOS version.
  • Endpoint.OSVersion — The endpoint's operation system version.
  • Endpoint.DHCPServer — The DHCP server of the endpoint.
  • Endpoint.Groups — Groups for which the computer is listed as a member.
  • ExtraHop.Device.Macaddr — The MAC Address of the device.
  • ExtraHop.Device.DeviceClass — The class of the device.
  • ExtraHop.Device.UserModTime — The time of the most recent update, expressed in milliseconds since the epoch.
  • ExtraHop.Device.AutoRole — The role automatically detected by the ExtraHop.
  • ExtraHop.Device.ParentId — The ID of the parent device.
  • ExtraHop.Device.Vendor — The device vendor.
  • ExtraHop.Device.Analysis — The level of analysis preformed on the device.
  • ExtraHop.Device.DiscoveryId — The UUID given by the Discover appliance.
  • ExtraHop.Device.DefaultName — The default name of the device.
  • ExtraHop.Device.DisplayName — The display name of device.
  • ExtraHop.Device.OnWatchlist — Whether the device is on the advanced analysis allow list.
  • ExtraHop.Device.ModTime — The time of the most recent update, expressed in milliseconds since the epoch.
  • ExtraHop.Device.IsL3 — Indicates whether the device is a Layer 3 device.
  • ExtraHop.Device.Role — The role of the device.
  • ExtraHop.Device.DiscoverTime — The time that the device was discovered.
  • ExtraHop.Device.Id — The ID of the device.
  • ExtraHop.Device.Ipaddr4 — The IPv4 address of the device.
  • ExtraHop.Device.Vlanid — The ID of VLan.
  • ExtraHop.Device.Ipaddr6 — The IPv6 address of the device.
  • ExtraHop.Device.NodeId — The Node ID of the Discover appliance.
  • ExtraHop.Device.Description — A user customizable description of the device.
  • ExtraHop.Device.DnsName — The DNS name associated with the device.
  • ExtraHop.Device.DhcpName — The DHCP name associated with the device.
  • ExtraHop.Device.CdpName — The Cisco Discovery Protocol name associated with the device.
  • ExtraHop.Device.NetbiosName — The NetBIOS name associated with the device.
  • ExtraHop.Device.Url — Link to the device details page in ExtraHop.
  • McAfee.ePO.Endpoint — The endpoint that was enriched.
  • ActiveDirectory.ComputersPageCookie — An opaque string received in a paged search, used for requesting subsequent entries.
  • ActiveDirectory.Computers — The information about the hostname that was enriched using Active Directory.
  • ActiveDirectory.Computers.dn — The computer distinguished name.
  • ActiveDirectory.Computers.memberOf — Groups for which the computer is listed.
  • ActiveDirectory.Computers.name — The computer name.
  • CrowdStrike.Device — The information about the endpoint.
  • CarbonBlackEDR.Sensor.systemvolume_total_size — The size, in bytes, of the system volume of the endpoint on which the sensor is installed. installed.
  • CarbonBlackEDR.Sensor.emet_telemetry_path — The path of the EMET telemetry associated with the sensor.
  • CarbonBlackEDR.Sensor.os_environment_display_string — Human-readable string of the installed OS.
  • CarbonBlackEDR.Sensor.emet_version — The EMET version associated with the sensor.
  • CarbonBlackEDR.Sensor.emet_dump_flags — The flags of the EMET dump associated with the sensor.
  • CarbonBlackEDR.Sensor.clock_delta — The clock delta associated with the sensor.
  • CarbonBlackEDR.Sensor.supports_cblr — Whether the sensor supports Carbon Black Live Response (CbLR).
  • CarbonBlackEDR.Sensor.sensor_uptime — The uptime of the process.
  • CarbonBlackEDR.Sensor.last_update — When the sensor was last updated.
  • CarbonBlackEDR.Sensor.physical_memory_size — The size in bytes of physical memory.
  • CarbonBlackEDR.Sensor.build_id — The sensor version installed on this endpoint. From the /api/builds/ endpoint.
  • CarbonBlackEDR.Sensor.uptime — Endpoint uptime in seconds.
  • CarbonBlackEDR.Sensor.is_isolating — Boolean representing sensor-reported isolation status.
  • CarbonBlackEDR.Sensor.event_log_flush_time — If event_log_flush_time is set, the server will instruct the sensor to immediately send all data before this date, ignoring all other throttling mechanisms. To force a host current, set this value to a value far in the future. When the sensor has finished sending its queued data, this value will be null.
  • CarbonBlackEDR.Sensor.computer_dns_name — The DNS name of the endpoint on which the sensor is installed.
  • CarbonBlackEDR.Sensor.emet_report_setting — The report setting of the EMET associated with the sensor.
  • CarbonBlackEDR.Sensor.id — The ID of this sensor.
  • CarbonBlackEDR.Sensor.emet_process_count — The number of EMET processes associated with the sensor.
  • CarbonBlackEDR.Sensor.emet_is_gpo — Whether the EMET is a GPO.
  • CarbonBlackEDR.Sensor.power_state — The sensor power state.
  • CarbonBlackEDR.Sensor.network_isolation_enabled — Boolean representing the network isolation request status.
  • CarbonBlackEDR.Sensor.systemvolume_free_size — The amount of free bytes on the system volume.
  • CarbonBlackEDR.Sensor.status — The sensor status.
  • CarbonBlackEDR.Sensor.num_eventlog_bytes — The number of event log bytes.
  • CarbonBlackEDR.Sensor.sensor_health_message — Human-readable string indicating the sensor’s self-reported status.
  • CarbonBlackEDR.Sensor.build_version_string — Human-readable string of the sensor version.
  • CarbonBlackEDR.Sensor.computer_sid — Machine SID of this host.
  • CarbonBlackEDR.Sensor.next_checkin_time — Next expected communication from this computer in server-local time and zone.
  • CarbonBlackEDR.Sensor.node_id — The node ID associated with the sensor.
  • CarbonBlackEDR.Sensor.cookie — The cookie associated with the sensor.
  • CarbonBlackEDR.Sensor.emet_exploit_action — The EMET exploit action associated with the sensor.
  • CarbonBlackEDR.Sensor.computer_name — NetBIOS name of this computer.
  • CarbonBlackEDR.Sensor.license_expiration — When the license of the sensor expires.
  • CarbonBlackEDR.Sensor.supports_isolation — Whether the sensor supports isolation.
  • CarbonBlackEDR.Sensor.parity_host_id — The ID of the parity host associated with the sensor.
  • CarbonBlackEDR.Sensor.supports_2nd_gen_modloads — Whether the sensor support modload of 2nd generation.
  • CarbonBlackEDR.Sensor.network_adapters — A pipe-delimited list of IP,MAC pairs for each network interface.
  • CarbonBlackEDR.Sensor.sensor_health_status — Self-reported health score, from 0 to 100. Higher numbers indicate a better health status.
  • CarbonBlackEDR.Sensor.registration_time — Time this sensor was originally registered in server-local time and zone.
  • CarbonBlackEDR.Sensor.restart_queued — Whether a restart of the sensor is queued.
  • CarbonBlackEDR.Sensor.notes — The notes associated with the sensor.
  • CarbonBlackEDR.Sensor.num_storefiles_bytes — Number of storefiles bytes associated with the sensor.
  • CarbonBlackEDR.Sensor.os_environment_id — The ID of the OS environment of the sensor.
  • CarbonBlackEDR.Sensor.shard_id — The ID of the shard associated with the sensor.
  • CarbonBlackEDR.Sensor.boot_id — A sequential counter of boots since the sensor was installed.
  • CarbonBlackEDR.Sensor.last_checkin_time — Last communication with this computer in server-local time and zone.
  • CarbonBlackEDR.Sensor.os_type — The operating system type of the computer.
  • CarbonBlackEDR.Sensor.group_id — The sensor group ID this sensor is assigned to.
  • CarbonBlackEDR.Sensor.uninstall — When set, indicates that the sensor will be directed to uninstall on next check-in.
  • PaloAltoNetworksXDR.Endpoint.endpoint_id — The endpoint ID.
  • PaloAltoNetworksXDR.Endpoint.endpoint_name — The endpoint name.
  • PaloAltoNetworksXDR.Endpoint.endpoint_type — The endpoint type.
  • PaloAltoNetworksXDR.Endpoint.endpoint_status — The status of the endpoint.
  • PaloAltoNetworksXDR.Endpoint.os_type — The endpoint OS type.
  • PaloAltoNetworksXDR.Endpoint.ip — A list of IP addresses.
  • PaloAltoNetworksXDR.Endpoint.users — A list of users.
  • PaloAltoNetworksXDR.Endpoint.domain — The endpoint domain.
  • PaloAltoNetworksXDR.Endpoint.alias — The endpoint's aliases.
  • PaloAltoNetworksXDR.Endpoint.first_seen — First seen date/time in Epoch (milliseconds).
  • PaloAltoNetworksXDR.Endpoint.last_seen — Last seen date/time in Epoch (milliseconds).
  • PaloAltoNetworksXDR.Endpoint.content_version — Content version.
  • PaloAltoNetworksXDR.Endpoint.installation_package — Installation package.
  • PaloAltoNetworksXDR.Endpoint.active_directory — Active directory.
  • PaloAltoNetworksXDR.Endpoint.install_date — Install date in Epoch (milliseconds).
  • PaloAltoNetworksXDR.Endpoint.endpoint_version — Endpoint version.
  • PaloAltoNetworksXDR.Endpoint.is_isolated — Whether the endpoint is isolated.
  • PaloAltoNetworksXDR.Endpoint.group_name — The name of the group to which the endpoint belongs.
  • PaloAltoNetworksXDR.Endpoint.count — Number of endpoints returned.
  • Account.Domain — The domain of the account.
  • PaloAltoNetworksXDR.RiskyHost.type — Form of identification element.
  • PaloAltoNetworksXDR.RiskyHost.id — Identification value of the type field.
  • PaloAltoNetworksXDR.RiskyHost.score — The score assigned to the host.
  • PaloAltoNetworksXDR.RiskyHost.reasons — The endpoint risk objects.
  • PaloAltoNetworksXDR.RiskyHost.reasons.date created — Date when the incident was created.
  • PaloAltoNetworksXDR.RiskyHost.reasons.description — Description of the incident.
  • PaloAltoNetworksXDR.RiskyHost.reasons.severity — The severity of the incident.
  • PaloAltoNetworksXDR.RiskyHost.reasons.status — The incident status.
  • PaloAltoNetworksXDR.RiskyHost.reasons.points — The score.
  • Core.Endpoint.endpoint_id — The endpoint ID.
  • Core.Endpoint.endpoint_name — The endpoint name.
  • Core.Endpoint.endpoint_type — The endpoint type.
  • Core.Endpoint.endpoint_status — The status of the endpoint.
  • Core.Endpoint.os_type — The endpoint OS type.
  • Core.Endpoint.ip — A list of IP addresses.
  • Core.Endpoint.users — A list of users.
  • Core.Endpoint.domain — The endpoint domain.
  • Core.Endpoint.alias — The endpoint's aliases.
  • Core.Endpoint.first_seen — First seen date/time in Epoch (milliseconds).
  • Core.Endpoint.last_seen — Last seen date/time in Epoch (milliseconds).
  • Core.Endpoint.content_version — Content version.
  • Core.Endpoint.installation_package — Installation package.
  • Core.Endpoint.active_directory — Active directory.
  • Core.Endpoint.install_date — Install date in Epoch (milliseconds).
  • Core.Endpoint.endpoint_version — Endpoint version.
  • Core.Endpoint.is_isolated — Whether the endpoint is isolated.
  • Core.Endpoint.group_name — The name of the group to which the endpoint belongs.
  • Core.RiskyHost.type — Form of identification element.
  • Core.RiskyHost.id — Identification value of the type field.
  • Core.RiskyHost.score — The score assigned to the host.
  • Core.RiskyHost.reasons.date created — Date when the incident was created.
  • Core.RiskyHost.reasons.description — Description of the incident.
  • Core.RiskyHost.reasons.severity — The severity of the incident.
  • Core.RiskyHost.reasons.status — The incident status.
  • Core.RiskyHost.reasons.points — The score.
  • Domain.Malicious.Vendor — For malicious domains, the vendor that made the decision.
  • Domain.Name — Bad domain found.

Flowchart

Start Start Done Done IP Enrichment - Generic v2 - IP Enrichment - Generic v2 IP Enrichment - Generic v2 IP Enrichment - Generic v2 File Enrichment - Generic v2 - File Enrichment - Generic v2 File Enrichment - Generic v2 File Enrichment - Generic v2 URL Enrichment - Generic v2 - URL Enrichment - Generic v2 URL Enrichment - Generic v2 URL Enrichment - Generic v2 Domain Enrichment - Generic v2 - Domain Enrichment - Generic v2 Domain Enrichment - Gener... Domain Enrichment - Generic v2 Email Address Enrichment - Generic v2.1 - Email Address Enrichment - Generic v2.1 Email Address Enrichment ... Email Address Enrichment - Ge... Account Enrichment - Generic v2.1 - Account Enrichment - Generic v2.1 Account Enrichment - Gene... Account Enrichment - Generic ... Endpoint Enrichment - Generic v2.1 - Endpoint Enrichment - Generic v2.1 Endpoint Enrichment - Gen... Endpoint Enrichment - Generic...