Skip to main content

Calculate Severity - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Calculate and assign the incident severity based on the highest returned severity level from the following calculations:

  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity
  • Microsoft Headers

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Calculate Severity - Critical Assets v2
  • Calculate Severity By Highest DBotScore
  • Calculate Severity By Email Authenticity

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set
  • SetAndHandleEmpty

Commands#

  • setIncident

Playbook Inputs#


NameDescriptionDefault ValueRequired
DBotScoreArray of all indicators associated with the incident.DBotScore.NoneOptional
CriticalUsersCSV of usernames of critical users.admin,administratorOptional
CriticalEndpointsCSV of hostnames of critical endpoints.adminOptional
CriticalGroupsCSV of DN names of critical AD groups.admins,administratorsOptional
AccountUser accounts to check against the critical lists.Account.NoneOptional
EndpointEndpoints to check against the CriticalEndpoints list.Endpoint.NoneOptional
EmailAuthenticityCheckIndicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined.Email.AuthenticityCheckOptional
MicrosoftHeadersSeverityCheckThe value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, which calculates the severity after processing the PCL, BCL and PCL values inside Microsoft's headers.${MicrosoftHeadersSeverityCheck}Optional

Playbook Outputs#


PathDescriptionType
CriticalAssetsAll critical assets involved in the incident.unknown
CriticalAssets.CriticalEndpointsCritical endpoints involved in the incident.unknown
CriticalAssets.CriticalEndpointGroupsCritical endpoint-groups involved in the incident.unknown
CriticalAssets.CriticalUsersCritical users involved in the incident.unknown
CriticalAssets.CriticalUserGroupsCritical user-groups involved in the incident.unknown

Playbook Image#


Calculate Severity - Generic v2