Security incident calculators

Security incident calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.

The Security Incident Response base system includes the following security incident calculator groups and calculators. Within each group, the first calculator that matches the conditions is run.

Table 1. Security incident calculators in the base system
Security Incident Calculator Group Name Calculators included in group Description
Business Impact Aggregate from Severity Calculators This calculator delegates to the Security Criticality Calculator that determines criticality by weighing the values of other fields.
Severity Business Impacted This severity calculator defines its selection criteria using a simple condition builder.
Critical service affected This severity calculator defines its selection criteria using an advanced condition.

If the configuration item in the security incident is associated with a highly critical business service, the Risk score, Business Impact, and Priority fields are elevated as defined by the calculator.

Critical service changes This severity calculator defines its selection criteria using an advanced condition.

If the security incident meets the conditions, a script runs to define what levels the fields are elevated to. If the configuration item in the security incident is associated with critical business service, the Risk score, Business Impact, and Priority fields are elevated as defined by the calculator.

Multi-Attack Vectors This severity calculator defines its selection criteria using a simple condition builder.

If the configuration item in the security incident is associated with web, email, and impersonation attack vectors, the Risk score, Business Impact, and Priority fields are elevated as defined by the calculator.

Set priority with category and services This severity calculator defines its selection criteria using an advanced condition builder.
The security incident priority is set to 1 - Critical when the following conditions are met:
  • the security incident has associated affected services and one of them is critical
  • the security incident category is one of the following:
    • Denial of Service
    • Spear Phishing
    • Malicious code activity
Note: This calculator is available in the base system when you have the Starter Security Operation pricing tier.
Set priority with observables This severity calculator defines its selection criteria using an advanced condition builder.
The security incident priority is set to 1 - Critical when the following conditions are met:
  • the security incident has associated affected services and one of them is critical
  • the security incident category is one of the following:
    • Denial of Service
    • Spear Phishing
    • Malicious code activity
  • one of the associated observables/indicators has a sighting count that exceeds two sightings with active indicators. That is, the observables or indicators are confirmed as being bad from multiple sources.
Note: This calculator is available in the base system when you have the Advanced Security Operation pricing tier, and you activate the Threat Feeds plugin.
User criticality Get user criticality This severity calculator defines its selection criteria using a simple condition builder.

causes a user's business criticality to change to 1 - Critical when the Department field is changed to Finance.

Get user group criticality This severity calculator defines its selection criteria using an advanced condition builder.

This severity calculator provides example of a calculator that runs on data in a related list.

Severity calculators

When you create a security incident, the Risk score, Business Impact, and Priority fields contain default values. When you save the incident, a business rule automatically validates the information in the security incident against conditions defined in each of your active severity calculators. They are validated one security calculator at a time, in the order defined by the Order field in each calculator. If information in the security incident matches the conditions defined in one of the calculators, the severity field values are updated. This update is according to the rules set up in the calculator.

For example, assume that you create a security incident for an affected CI, and the CI is highly critical. When the security incident is saved, the CI information is compared to the conditions defined in the severity calculators. When the security incident is validated against the Critical service affected severity calculator, the severity fields are automatically updated. A message similar to the following appears at the top of the security incident.

You can use these severity calculators as is or you can edit them to more closely meet the needs of your business. For example, if you want to identify web and email threats that are specific to the Finance business unit, you can change the conditions of the Multi Attack Vectors calculator:
  • [Attack Vector] [contains] [Web]
  • [Attack Vector] [contains] [Email]
  • [Business Unit] [contains] [Finance]

You can also update the severity values in an existing security incident at any time by opening the record and clicking the Calculate Severity related link.

Security incident risk score calculators

The Set priority with category and services and Set priority with observables calculators are used to calculate a risk score for a security incident. For more information, see Security incident risk score calculations.

User criticality calculators

The two calculators in the User criticality group (Get user criticality and Get user group criticality) provide examples of how you can drive criticality. It is based on criteria defined in a user record or based on the group to which a user belongs.

They can be edited as needed, or new user criticality calculators can be created.

The Get user criticality calculator causes a user's business criticality to change to 1 - Critical when the Department field is changed to Finance.

The Get user group criticality calculator causes a user's business criticality to change to 1 - Critical when the user is added to the Database group.
Note: Get user group criticality is an example of a calculator that runs on data in a related list. If you want to add more groups to initiate a criticality change, add a comma-separated list of group sys_ids in the first line of the script. Ex: var CRITICAL_GROUPS = [group1_sys_id, group2_sys_id, group3_sys_id]