You can create a playbook to automate threat analysis and threat response.
To create a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, Tenant administrator.
Kaspersky Next XDR Expert also allows you to create a new playbook that will meet your needs, based on an existing one. For details, refer to Customizing playbooks.
To create a new playbook:
The Create playbook window opens.
All child tenants of the selected parent tenant will automatically inherit this playbook. To disable the playbook inheritance, clear the check box next to any child tenants. The playbook inheritance will be disabled for all child tenants.
If you select a child tenant, all parent tenants will be selected automatically.
Note that the playbook name must be unique and cannot be more than 255 characters long.
The playbook name must not contain the following special characters: < > ".
Note that the maximum tag length is 50 characters.
The Launching rule list is displayed only if the Auto operation mode is selected.
To describe the trigger condition, use jq expressions. For more information about jq expressions, refer to jq Manual.
Depending on the option you select in the Scope list when creating or editing a playbook, alert data model or incident data model is used.
For example, to filter alerts or incidents by critical severity, specify the following expression:
.Severity == "critical"
You can also specify complex expressions to filter alerts or incidents.
For example, to filter critical alerts or incidents by rule name, specify the following expression:
[(.Severity == "critical") and (.Rules[] |.Name | contains("Rule_1"))]
where Rules[] |.Name
defines the name of the triggered rule.
Validation of jq expressions is configured. If you specify an incorrect expression in the Trigger section, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.
If you select the Manual operation mode, the Trigger section is unavailable.
You can also request a full list of alerts or incidents. To do this, in the Trigger section, enter true
, and then click the Find button.
The full list of alerts or incidents is displayed.
If necessary, you can copy an algorithm from another playbook. To do this, do the following:
The Copy from another playbook window opens.
The algorithm of the selected playbook is added to the Algorithm section.
Validation of jq expressions and JSON syntax is configured. If you specify an incorrect expression in the Algorithm section, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.
If you want to launch a new playbook for existing alerts or incidents that match the trigger, select the Launch the playbook for all matching alerts or incidents. Note that the system may be overloaded check box.
A new playbook is created and displayed in the list of playbooks.
Page top