Skip to main content

Phishing Alerts - Check Severity

This Playbook is part of the PhishingAlerts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook calculates and assigns the incident severity based on the highest returned severity level from the following calculations:

  • Email security alert action
  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity
  • Microsoft Headers


This playbook uses the following sub-playbooks, integrations, and scripts.


Calculate Severity - Generic v2


This playbook does not use any integrations.


  • AssignAnalystToIncident
  • IncreaseIncidentSeverity


  • send-mail
  • setIncident

Playbook Inputs#

NameDescriptionDefault ValueRequired
RoleThe default role to assign the incident to.Optional
escalationRoleThe higher tier role to assign the incident to.Optional
OnCallSet to True to assign only to analysts on the current shift.Optional
AuthenticityCheckIndicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined.Optional
MicrosoftHeadersSeverityCheckThis value is set by the "Process Microsoft's Anti-Spam Headers" playbook, which calculates the severity after processing the PCL, BCL and PCL values in Microsoft headers.Optional
SOCEmailAddressThe SOC email address to set if the playbook handles an email security alert.Optional
EmailToThe email recipient.Optional
blockedAlertActionValueA comma-separated list of optional values the email security device returns for blocked\denied\etc. emails.Optional

Playbook Outputs#

There are no outputs for this playbook.

Playbook Image#

Phishing Alerts - Check Severity