Security teams are beset with alerts on the best of days. This simple truth stems from two issues melding together:
Both these challenges can be met with the help of security orchestration. A playbook that executes actions across products to assign severity to incoming incidents will not only save analyst time by removing this redundant task from their daily lives, but also improve the accuracy of incident assignment by coordinating automatically across product-sets.
Let’s look at the flow of a playbook that assigns incident severity:
The playbook first validates whether any external vulnerability management products have recorded a severity level for the incident at hand. In the screenshot below, for example, the playbook executes a query to Qualys to check if there’s a recorded incident severity and assigns the same severity to the incident within Cortex XSOAR.
These actions ensure that teams utilize the strengths of their security products without having multiple tabs open at all times and manually performing low-level actions.
If there’s no third-party severity input, the playbook checks the indicators (IP addresses, URLs, file hashes) of the incident and validates whether there’s a score attached to any indicator. After Cortex XSOAR automatically records all indicators within the platform, each indicator is assigned a ‘Reputation’ based on an amalgamation of scores from other threat intelligence platforms that a user integrates with.
If there’s a score attached to any indicator, the playbook assigns a High, Medium, or Low severity accordingly. If a user integrates with multiple threat intelligence products, the indicator score is an ideal way to action the insights from each product through a combined reputation rating.
In addition to threat intelligence, this playbook also takes user identity and behavior into account while assigning incident severity. The playbook checks if there’s a username tied to the incident and whether the username is part of any critical user-lists. It performs these same checks with the hostname tied to the incident. If either the username or hostname merit additional agility in response, the incident severity is assigned as ‘Critical’.
The benefits of this incident severity scoring playbook are manifold:
We hope you found this severity assignment playbook useful. To explore other Cortex XSOAR features, download our Free Community Edition.