Calculate Severity - Generic v2
Calculate and assign the incident severity based on the highest returned severity level from the following calculations: - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers - Risky users (XDR) - Risky hosts (XDR).
Common Playbooks · 15 tasks · 11 inputs · 5 outputs
Inputs
DBotScoreIndicators— Array of all indicator values associated with the incident.CriticalUsers— CSV of usernames of critical users.CriticalEndpoints— CSV of hostnames of critical endpoints.CriticalGroups— CSV of DN names of critical AD groups.Account— User accounts to check against the critical lists.Endpoint— Endpoints to check against the CriticalEndpoints list.EmailAuthenticityCheck— Indicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined.MicrosoftHeadersSeverityCheck— The value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, which calculates the severity after processing the PCL, BCL and PCL values inside Microsoft's headers.XDRRiskyUsers— An object of risky users and their corresponding scores, as outputted by the "xdr-list-risky-users" command.XDRRiskyHosts— An object of risky hosts and their corresponding scores, as outputted by the "xdr-list-risky-hosts" command.DBotScoreMaxScore— The highest score (number) that was given to a DBotScore indicator.
Outputs
CriticalAssets— All critical assets involved in the incident.CriticalAssets.CriticalEndpoints— Critical endpoints involved in the incident.CriticalAssets.CriticalEndpointGroups— Critical endpoint-groups involved in the incident.CriticalAssets.CriticalUsers— Critical users involved in the incident.CriticalAssets.CriticalUserGroups— Critical user-groups involved in the incident.
Commands used
setIncident