Calculate Severity - Generic v2

Calculates and assigns the incident severity based on the highest returned severity level from the following calculations:

  • DBotScores of indicators
  • Critical assets
  • Email authenticity
  • Current incident severity

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Calculate Severity - Critical Assets v2
  • Calculate Severity - DBotScore v2
  • Calculate Severity - Email Authenticity

Integrations

  • Builtin

Scripts

  • Set

Commands

  • setIncident

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
DBotScoreThe array of all indicators associated with the incident.NoneDBotScoreOptional
CriticalUsersThe CSV of usernames of critical users.admin,administrator-Optional
CriticalEndpointsThe CSV of hostnames of critical endpoints.admin-Optional
CriticalGroupsThe CSV of DN names of critical AD groups.admins,administrators-Optional
AccountThe user accounts to check against the critical lists.NoneAccountOptional
EndpointThe endpoints to check against the CriticalEndpoints list.NoneEndpointOptional
EmailAuthenticityCheckIndicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are, "Pass", "Fail", "Suspicious", and "Undetermined'.AuthenticityCheckEmailOptional

Playbook Outputs


PathDescriptionType
CriticalAssetsAll critical assets involved in the incident.unknown
CriticalAssets.CriticalEndpointsThe critical endpoints involved in the incident.unknown
CriticalAssets.CriticalEndpointGroupsThe critical endpoint-groups involved in the incident.unknown
CriticalAssets.CriticalUsersThe critical users involved in the incident.unknown
CriticalAssets.CriticalUserGroupsThe critical user-groups involved in the incident.unknown

Playbook Image


Calculate_Severity_Generic_v2