Skip to main content

Calculate Severity - Generic v2

This Playbook is part of the Common Playbooks Pack.#

Calculate and assign the incident severity based on the highest returned severity level from the following calculations:

  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity
  • Microsoft Headers
  • Risky users (XDR)
  • Risky hosts (XDR).


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Calculate Severity By Highest DBotScore
  • Calculate Severity - Cortex XDR Risky Assets
  • Calculate Severity - Critical Assets v2
  • Calculate Severity By Email Authenticity


This playbook does not use any integrations.


  • Set


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
DBotScoreIndicatorsArray of all indicator values associated with the incident.DBotScore.IndicatorOptional
CriticalUsersCSV of usernames of critical users.admin,administratorOptional
CriticalEndpointsCSV of hostnames of critical endpoints.adminOptional
CriticalGroupsCSV of DN names of critical AD groups.admins,administratorsOptional
AccountUser accounts to check against the critical lists.AccountOptional
EndpointEndpoints to check against the CriticalEndpoints list.EndpointOptional
EmailAuthenticityCheckIndicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined.Email.AuthenticityCheckOptional
MicrosoftHeadersSeverityCheckThe value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, which calculates the severity after processing the PCL, BCL and PCL values inside Microsoft's headers.${Email.MicrosoftHeadersSeverityCheck}Optional
XDRRiskyUsersAn object of risky users and their corresponding scores, as outputted by the "xdr-list-risky-users" command.PaloAltoNetworksXDR.RiskyUserOptional
XDRRiskyHostsAn object of risky hosts and their corresponding scores, as outputted by the "xdr-list-risky-hosts" command.PaloAltoNetworksXDR.RiskyHostOptional
DBotScoreMaxScoreThe highest score (number) that was given to a DBotScore indicatorr.DBotScore.ScoreOptional

Playbook Outputs#

CriticalAssetsAll critical assets involved in the incident.unknown
CriticalAssets.CriticalEndpointsCritical endpoints involved in the incident.unknown
CriticalAssets.CriticalEndpointGroupsCritical endpoint-groups involved in the incident.unknown
CriticalAssets.CriticalUsersCritical users involved in the incident.unknown
CriticalAssets.CriticalUserGroupsCritical user-groups involved in the incident.unknown

Playbook Image#

Calculate Severity - Generic v2