Launching playbooks manually
Kaspersky Next XDR Expert allows you to manually launch any playbook that matches alerts or incidents you want to respond to.
To launch a playbook manually, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.
You can also launch a playbook for observables and assets if you have specified these objects when creating the playbook and when launching it.
Launching a playbook for an alert
To launch a playbook manually for an alert:
- In the main menu, go to Monitoring & reporting → Alerts.
- In the table of alerts, click the link with the ID of the alert for which you want to launch the playbook.
- In the Alert details window that opens, click the Select playbook button.
The Select playbook window opens.
- In the list of playbooks that match the alert, select the playbook you want to launch, and then click the Launch button.
If the selected playbook is already running for this alert, in the Monitoring & reporting window that appears, do one of the following:
- If you want to wait until the current playbook instance is completed, click the Wait and launch button.
The new playbook instance will be launched after the current one is completed.
- If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.
The current playbook instance will be terminated and the new one will be launched.
- If you want to cancel the new playbook launch, click the Close button (
).
If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.
- If you want to wait until the current playbook instance is completed, click the Wait and launch button.
The playbook is launched for the selected alert. After the playbook is completed, you will receive a notification.
Launching a playbook for an incident
To launch a playbook manually for an incident:
- In the main menu, go to Monitoring & reporting → Incidents, and then select the XDR incidents tab.
- In the table of incidents, click the link with the ID of the incident for which you want to launch the playbook.
- In the Incident details window that opens, click the Select playbook button.
The Select playbook window opens.
- In the list of playbooks that match the incident, select the playbook you want to launch, and then click the Launch button.
If the selected playbook is already running for this incident, in the Monitoring & reporting window that appears, do one of the following:
- If you want to wait until the current playbook instance is completed, click the Wait and launch button.
The new playbook instance will be launched after the current one is completed.
- If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.
The current playbook instance will be terminated and the new one will be launched.
- If you want to cancel the new playbook launch, click the Close button ().
If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.
- If you want to wait until the current playbook instance is completed, click the Wait and launch button.
The playbook is launched for the selected incident. After the playbook is completed, you will receive a notification.
Page top