Phishing Alerts - Check Severity
This playbook calculates and assigns the incident severity based on the highest returned severity level from the following calculations: - Email security alert action - DBotScores of indicators - Critical assets - Email authenticity - Current incident severity - Microsoft Headers
PhishingAlerts · 12 tasks · 8 inputs · 0 outputs
Inputs
Role— The default role to assign the incident to.escalationRole— The higher tier role to assign the incident to.OnCall— Set to True to assign only to analysts on the current shift.AuthenticityCheck— Indicates the email authenticity resulting from the EmailAuthenticityCheck script. Possible values are: Pass, Fail, Suspicious, and Undetermined.MicrosoftHeadersSeverityCheck— The value is set by the "Process Microsoft's Anti-Spam Headers" Playbook, which calculates the severity after processing the PCL, BCL and PCL values inside Microsoft's headers.SOCEmailAddress— The SOC email address to set if the playbook handles an email security alert.EmailTo— The email recipient.blockedAlertActionValue— A comma-separated list of optional values the email security device returns for blocked\denied\etc. emails.
Commands used
send-mail
setIncident