IP Enrichment - External - Generic v2
Enrich IP addresses using one or more integrations. - Resolve IP addresses to hostnames (DNS). - Provide threat information. - IP address reputation using !ip command. - Separate internal and external addresses.
Common Playbooks · 16 tasks · 7 inputs · 27 outputs
Inputs
IP— The IP address to enrich.InternalRange— A comma-separated list of IP address ranges (in CIDR notation). Use this list to check if an IP address is found within a set of IP address ranges. For example: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes).ResolveIP— Whether to convert the IP address to a hostname using a DNS query (True/False). The default value is true.UseReputationCommand— Define if you would like to use the !IP command. Note: This input should be used whenever there is no auto-extract enabled in the investigation flow. Possible values: True / False. The default value is false.extended_data— Define whether you want the generic reputation command to return extended data (last_analysis_results). Possible values: True / False. The default value is false.threat_model_association— Define whether you wish to enhance generic reputation command to include additional information such as Threat Bulletins, Attack patterns, Actors, Campaigns, TTPs, vulnerabilities, etc. Note: If set to true, additional 6 API calls will be performed. Possible values: True / False. The default value is false.ExecutedFromParent— Whether to execute common logic, like the classification of IP addresses to ranges and resolving, in the the main (IP Enrichment - Generic v2) enrichment playbook, instead of in the sub-playbooks. Possible values are: True, False. Setting this to True and using the parent playbook will execute the relevant commands in the main playbook instead of executing them in both sub-playbooks, improving the performance of the playbook and reducing the overfall size of the incident.
Outputs
IP— The IP address objects.DBotScore— Indicator, Score, Type, and Vendor.Endpoint— The endpoint's object.Endpoint.Hostname— The hostname to enrich.Endpoint.IP— A list of endpoint IP addresses.IP.Address— The IP Address.IP.InRange— Is the IP in the input ranges? (could be 'yes' or 'no).DBotScore.Indicator— The indicator that was tested.DBotScore.Type— The indicator type.DBotScore.Vendor— The vendor used to calculate the score.DBotScore.Score— The actual score.IP.ASN— The Autonomous System (AS) number associated with the indicator.IP.Tags— List of IP tags.IP.ThreatTypes— Threat types associated with the IP.IP.Geo.Country— The country associated with the indicator.IP.Geo.Location— The longitude and latitude of the IP address.IP.Malicious.Vendor— The vendor that reported the indicator as malicious.IP.Malicious.Description— For malicious IPs, the reason that the vendor made the decision.IP.VirusTotal.DownloadedHashes— Latest files that are detected by at least one antivirus solution and were downloaded by VirusTotal from the IP address.IP.VirusTotal.UnAVDetectedDownloadedHashes— Latest files that are not detected by any antivirus solution and were downloaded by VirusTotal from the IP address provided.IP.VirusTotal.DetectedURLs— Latest URLs hosted in this IP address detected by at least one URL scanner.IP.VirusTotal.CommunicatingHashes— Latest detected files that communicate with this IP address.IP.VirusTotal.UnAVDetectedCommunicatingHashes— Latest undetected files that communicate with this IP address.IP.VirusTotal.Resolutions.hostname— The following domains resolved to the given IP.IP.VirusTotal.ReferrerHashes— Latest detected files that embed this IP address in their strings.IP.VirusTotal.UnAVDetectedReferrerHashes— Latest undetected files that embed this IP address in their strings.IP.VirusTotal.Resolutions.last_resolved— The last time the following domains resolved to the given IP.
Commands used
ip
vt-private-get-ip-report