Editing alerts by using playbooks

Expand all | Collapse all

Kaspersky Next XDR Expert allows you to edit incidents manually or by using playbooks. When creating a playbook, you can configure the playbook algorithm to edit the alert properties.

To edit an alert by using a playbook, you must have one of the following XDR roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.

You cannot edit alerts that have the Closed status.

You can edit the following alerts properties by using the playbook:

• Assignee
• Alert status
• Comment
• ExternalReference attribute
• Additional data attribute

Examples of the expressions that you can use in the playbook algorithm to edit the alert properties:

• Assigning an alert to a user

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "assignAlert",

  "params": {

  "assignee": {

  "id": "user_ID"

  }

  }

  }

  }

  }

  ]

  }

  When you edit an assignee in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident assignee, you can search the corresponding record by the user's name, and the ID will be specified in the algorithm.

• Unassigning an alert from a user

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "assignAlert",

  "params": {

  "assignee": {

  "id": "nobody"

  }

  }

  }

  }

  }

  ]

  }

• Changing the alert status

  To change the alert status to In progress:

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "setAlertStatus",

  "params": {

  "status": "inProgress"

  }

  }

  }

  }

  ]

  }

  To change the alert status to Closed:

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "setAlertStatus",

  "params": {

  "status": "closed",

  "statusResolution": "truePositive"

  }

  }

  }

  }

  ]

  }

  You can also specify the following values for the statusResolution parameter: falsePositive and lowPriority.

  When you edit an alert status in the playbook algorithm, the following suggestions can be displayed: new, inProgress, closed.

• Adding a comment to an alert

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "addCommentToAlert",

  "params": {

  "text": "${ \"New comment for alert with ID: \" + alert.InternalID }"

  }

  }

  }

  }

  ]

  }

• Editing the ExternalReference attribute

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "setAlertExternalRef",

  "params": {

  "externalRef": "${ \"Appended externalRef for alert with ID: \" + alert.InternalID }",

  "mode": "append"

  }

  }

  }

  }

  ]

  }

  To replace the current value of the ExternalReference attribute in the alert with the value from the playbook, specify the replace value for the mode parameter.

• Editing the Additional data attribute

  {

  "dslSpecVersion": "1.1.0",

  "version": "1",

  "actionsSpecVersion": "1",

  "executionFlow": [

  {

  "action": {

  "function": {

  "type": "addAlertAdditionalData",

  "params": {

  "data": "${ {\"customKey_1 (alert.InternalID)\": (\"customValue_1 (\" + alert.InternalID + \")\" )} }",

  "mode": "append"

  }

  }

  }

  }

  ]

  }

  To replace the current value of the AdditionalData attribute in the alert with the value from the playbook, specify the replace value for the mode parameter.