Skip to main content

Calculate Severity - Generic v2

Calculates and assigns the incident severity based on the highest returned severity level from the following calculations:

  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Calculate Severity - Critical Assets v2
  • Calculate Severity - DBotScore v2
  • Calculate Severity - Email Authenticity


  • Builtin


  • Set


  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
DBotScoreThe array of all indicators associated with the incident.NoneDBotScoreOptional
CriticalUsersThe CSV of usernames of critical users.admin,administrator-Optional
CriticalEndpointsThe CSV of hostnames of critical endpoints.admin-Optional
CriticalGroupsThe CSV of DN names of critical AD groups.admins,administrators-Optional
AccountThe user accounts to check against the critical lists.NoneAccountOptional
EndpointThe endpoints to check against the CriticalEndpoints list.NoneEndpointOptional
EmailAuthenticityCheckIndicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are, "Pass", "Fail", "Suspicious", and "Undetermined'.AuthenticityCheckEmailOptional

Playbook Outputs#

CriticalAssetsAll critical assets involved in the incident.unknown
CriticalAssets.CriticalEndpointsThe critical endpoints involved in the incident.unknown
CriticalAssets.CriticalEndpointGroupsThe critical endpoint-groups involved in the incident.unknown
CriticalAssets.CriticalUsersThe critical users involved in the incident.unknown
CriticalAssets.CriticalUserGroupsThe critical user-groups involved in the incident.unknown

Playbook Image#