Launching playbooks and response actions

Launching playbooks

Depending on your needs, you can configure the way to launch the playbook. You can select one of the following operation modes during the playbook creation:

• Auto. Select this operation mode if you want to automate the launch of playbook and response actions.

  Playbooks in this mode help automate threat response, and also reduce the time it takes to analyze alerts and incidents.

• Training. Select this operation mode if you want to check if the playbook is configured correctly.

  Playbooks in this mode will not be launched automatically when a corresponding alert or incident is detected. Instead, the playbook requests the user's approval to launch.

• Manual. Select this operation mode if you want to launch the playbook manually only.

  Playbooks in this mode have no trigger, so you can launch such playbooks for any alert or incident, depending on the selected playbook scope. For more details, see Launching playbooks manually.

You can also change the operation mode of the existing playbook. For more details, see Editing playbooks.

Launching response actions

Response actions can be launched manually, automatically within a playbook, or can be configured to request the user's approval before launching within the playbook. By default, manual approval of the response action is disabled.

For more details on how to configure the manual approval of a response action launched within the playbook, see Configuring manual approval of response actions.

Launching playbooks manually

Kaspersky Next XDR Expert allows you to manually launch all playbooks that match all alerts or incidents you want to respond to.

To launch a playbook manually, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

To launch a playbook manually for an alert:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the table of alerts, click the link with the ID of the alert for which you want to launch the playbook.
3. In the Alert details window that opens, click the Select playbook button.

   The Select playbook window opens.

4. In the list of playbooks that match the alert, select the playbook you want to launch, and then click the Launch button.

   If the selected playbook is already running for this alert, in the Monitoring & reporting window that appears, do one of the following:

   • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

     The new playbook instance will be launched after the current one is completed.

   • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

     The current playbook instance will be terminated and the new one will be launched.

   • If you want to cancel the new playbook launch, click the Close button ().

   If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected alert. After the playbook is completed, you will receive a notification.

To launch a playbook manually for an incident:

1. In the main menu, go to Monitoring & reporting → Incidents, and then select the XDR incidents tab.
2. In the table of incidents, click the link with the ID of the incident for which you want to launch the playbook.
3. In the Incident details window that opens, click the Select playbook button.

   The Select playbook window opens.

4. In the list of playbooks that match the incident, select the playbook you want to launch, and then click the Launch button.

   If the selected playbook is already running for this incident, in the Monitoring & reporting window that appears, do one of the following:

   • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

     The new playbook instance will be launched after the current one is completed.

   • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

     The current playbook instance will be terminated and the new one will be launched.

   • If you want to cancel the new playbook launch, click the Close button ().

   If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected incident. After the playbook is completed, you will receive a notification.

Launching playbooks in the Training operation mode

The Training operation mode allows you to test how the playbook works. This can be helpful if you are planning to change the playbook operation mode to Auto.

All playbooks in the Training operation mode request the user's approval to launch.

To launch a playbook in the Training operation mode, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

The playbook in the Training operation mode cannot be launched automatically when a corresponding alert or incident is detected. You can test launching the playbook in the Training operation mode in one of the following ways:

• Create an alert or incident that matches the playbook trigger.
• Edit an alert or incident that matches the playbook trigger. The alert or incident must be in a status other than Closed.

When one of the above actions is completed, the playbook requests the user's approval to launch. For more information on how to approve the playbook, see Approving playbooks or response actions.