Playbooks

Open Single Management Platform uses playbooks that allow you to automate workflows and reduce the time it takes to process alerts and incidents.

Playbooks respond to alerts or incidents according to the specified algorithm. Playbook launches an algorithm that includes a sequence of response actions that help analyze and handle alerts or incidents. You can launch the playbook manually or configure the automatic launch of the playbook you need.

The automatic launch of playbooks is performed according to the trigger that you configure when creating a playbook. A trigger defines the conditions that an alert or incident must meet to launch this playbook automatically.

One playbook scope is limited to only alerts or only incidents.

Note that the playbook can only belong to one tenant and it is automatically inherited by all child tenants of the parent tenant, including child tenants that will be added after the playbook is created. You can disable playbook inheritance by child tenants when creating or editing a playbook.

In Open Single Management Platform, there are two types of playbooks:

• Predefined playbooks

  Predefined playbooks are created by Kaspersky experts. These playbooks are marked with the [KL] prefix in the name and cannot be edited or deleted.

  By default, predefined playbooks operate in the Training operation mode. For more information, refer to the Predefined playbooks section.

• Custom playbooks

  You can create and configure playbooks yourself. When creating a custom playbook, you need to specify a playbook scope (alert or incident), a trigger for launching the playbook automatically, and an algorithm for responding to threats. For details about creating a playbook, see Creating playbooks.

Operation modes

You can configure both automatic and manual launch of playbooks. The way to launch the playbook depends on the selected operation mode.

These are the following types of operation modes:

• Auto. A playbook in this operation mode automatically launches when corresponding alerts or incidents are detected.
• Training. When corresponding alerts or incidents are detected, a playbook in this operation mode requests the user's approval to launch.
• Manual. A playbook in this operation mode can only be launched manually.

User roles

You grant user rights to manage playbooks by assigning user roles to the users.

The table below shows access rights for managing playbooks and performing the user actions.

User role	User right
	Read	Write	Delete	Execute	Response confirmation
Main administrator
SOC administrator
Junior analyst
Tier 1 analyst
Tier 2 analyst
SOC manager
Approver
Observer
Tenant administrator

In this section Viewing the playbooks table Creating playbooks Editing playbooks Customizing playbooks Viewing playbook properties Terminating playbooks Deleting playbooks Launching playbooks and response actions Configuring manual approval of response actions Approving playbooks or response actions Enrichment from playbook Viewing response history Predefined playbooks Playbook trigger Playbook algorithm Editing incidents by using playbooks Editing alerts by using playbooks

Page top