Calculate Severity - Generic v2
Calculates and assigns the incident severity based on the highest returned severity level from the following calculations:
- DBotScores of indicators
- Critical assets
- Email authenticity
- Current incident severity
Dependencies
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks
- Calculate Severity - Critical Assets v2
- Calculate Severity - DBotScore v2
- Calculate Severity - Email Authenticity
Integrations
- Builtin
Scripts
- Set
Commands
- setIncident
Playbook Inputs
Name | Description | Default Value | Source | Required |
---|---|---|---|---|
DBotScore | The array of all indicators associated with the incident. | None | DBotScore | Optional |
CriticalUsers | The CSV of usernames of critical users. | admin,administrator | - | Optional |
CriticalEndpoints | The CSV of hostnames of critical endpoints. | admin | - | Optional |
CriticalGroups | The CSV of DN names of critical AD groups. | admins,administrators | - | Optional |
Account | The user accounts to check against the critical lists. | None | Account | Optional |
Endpoint | The endpoints to check against the CriticalEndpoints list. | None | Endpoint | Optional |
EmailAuthenticityCheck | Indicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are, "Pass", "Fail", "Suspicious", and "Undetermined'. | AuthenticityCheck | Optional |
Playbook Outputs
Path | Description | Type |
---|---|---|
CriticalAssets | All critical assets involved in the incident. | unknown |
CriticalAssets.CriticalEndpoints | The critical endpoints involved in the incident. | unknown |
CriticalAssets.CriticalEndpointGroups | The critical endpoint-groups involved in the incident. | unknown |
CriticalAssets.CriticalUsers | The critical users involved in the incident. | unknown |
CriticalAssets.CriticalUserGroups | The critical user-groups involved in the incident. | unknown |