RubrikSetIncidentSeverityUsingWorkLoadRiskLevel

Script used to set the XSOAR incident severity using the workload data provided from the argument.

python · Rubrik Security Cloud

Source

import demistomock as demisto
from CommonServerPython import *

INCIDENT_SEVERITY_INT_TO_NAME = {0: "Unknown", 0.5: "Info", 1: "Low", 2: "Medium", 3: "High", 4: "Critical"}
MATCHES_FOUND = "Matches Found"

ANOMALY_SEVERITY_TO_INCIDENT_SEVERITY = {"critical": 4, "warning": 2, "informational": 0.5}

RISK_LEVEL_TO_INCIDENT_SEVERITY = {"high": 3, "medium": 2, "low": 1, "no risk": 1}

""" COMMAND FUNCTION """


def set_incident_severity_using_risk_level_command(args: dict[str, Any]) -> CommandResults:
    """Set the incident severity using the provided workload data.

    :type args: ``Dict[str, Any]``
    :param args: Arguments provided by user.

    :rtype: ``CommandResults``
    :return: Standard command result.
    """
    remove_nulls_from_dictionary(args)

    anomaly_severities: list = argToList(args.get("anomaly_severities"))
    threat_hunt_malicious: list = argToList(args.get("threat_hunt_malicious"))
    threat_monitoring_malicious: list = argToList(args.get("threat_monitoring_malicious"))
    risk_levels: list = argToList(args.get("risk_levels"))
    increase_severity_by: int = arg_to_number(  # type: ignore
        args.get("increase_severity_by", 1), arg_name="increase_severity_by"
    )

    # If increase severity by value is not between 1 and 4, we will only show a message to user.
    if increase_severity_by < 1 or increase_severity_by > 4:
        raise DemistoException("Increase severity by value must be between 1 and 4.")

    # If there are no workload data are available in the argument, we will only show a message to user.
    if not risk_levels and not anomaly_severities and not threat_hunt_malicious and not threat_monitoring_malicious:
        raise DemistoException("No data specified to update the incident severity.")

    # Get current incident severity.
    current_severity: int = demisto.incident().get("severity", 0)

    if not isinstance(current_severity, float | int):
        raise DemistoException("Not able to get the correct value for the current incident severity.")

    anomaly_severity, threat_hunt_severity, risk_level_severity = 0, 0, 0

    for anomaly in anomaly_severities:
        severity_value = ANOMALY_SEVERITY_TO_INCIDENT_SEVERITY.get(anomaly.lower(), 0)
        anomaly_severity = max(anomaly_severity, severity_value)  # type: ignore

    for risk_level in risk_levels:
        severity_value = RISK_LEVEL_TO_INCIDENT_SEVERITY.get(risk_level.lower(), 0)
        risk_level_severity = max(risk_level_severity, severity_value)  # type: ignore

    if MATCHES_FOUND in threat_hunt_malicious or MATCHES_FOUND in threat_monitoring_malicious:
        threat_hunt_severity = int(min(4, current_severity + increase_severity_by))

    new_severity = max(risk_level_severity, anomaly_severity, threat_hunt_severity)

    if new_severity > current_severity:
        demisto.executeCommand("setIncident", {"severity": new_severity})
        return CommandResults(
            readable_output=f"Increased the incident severity to {INCIDENT_SEVERITY_INT_TO_NAME[new_severity]}."
        )
    else:
        return CommandResults(
            readable_output="No workload data with a risk level higher than the current incident "
            f"severity ({INCIDENT_SEVERITY_INT_TO_NAME[current_severity]})."
        )


""" MAIN FUNCTION """


def main():
    try:
        return_results(set_incident_severity_using_risk_level_command(demisto.args()))
    except Exception as ex:
        return_error(f"Failed to execute RubrikSonarSetIncidentSeverityUsingWorkLoadRiskLevel-RubrikSecurityCloud. Error: {ex!s}")


""" ENTRY POINT """


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Script used to set the XSOAR incident severity using the workload data provided from the argument.

Script Data


Name Description
Script Type python3
Cortex XSOAR Version 6.5.0

Inputs


Argument Name Description
risk_levels Specify the risk level values. Supports comma separated values.

Supported values are: High, Medium, Low, No Risk.
anomaly_severities Specify the anomaly severity values. Supports comma separated values.

Supported values are: Critical, Warning, Informational.
threat_hunt_malicious Specify the malicious threat hunt values. Supports comma separated values.

Supported values are: Matches Found, No Matches Found.
threat_monitoring_malicious Specify the malicious threat monitoring values. Supports comma separated values.

Supported values are: Matches Found, No Matches Found.
increase_severity_by Specify the level in number by which to increase the XSOAR incident severity. Only applicable if match found for the malicious threat hunt or for the malicious threat monitoring of workload.

Note: The value can range from 1 to 4.

Example: If the current XSOAR incident severity is 1 (Low) and the script is set to increase the severity by 2, the XSOAR incident severity will be set to 3 (high).

Outputs


There are no outputs for this script.