Launching playbooks and response actions

Launching playbooks

Depending on your needs, you can configure the way to launch the playbook. You can select one of the following operation modes during the playbook creation:

• Auto. Select this operation mode if you want to automate the launch of playbook and response actions.

  Playbooks in this mode help automate threat response, and also reduce the time it takes to analyze alerts and incidents.

• Training. Select this operation mode if you want to check if the playbook is configured correctly.

  Playbooks in this mode will not be launched automatically when a corresponding alert or incident is detected. Instead, the playbook requests the user's approval to launch.

• Manual. Select this operation mode if you want to launch the playbook manually only.

  Playbooks in this mode have no trigger, so you can launch such playbooks for any alert or incident, depending on the selected playbook scope. For more details, see Launching playbooks manually.

You can also change the operation mode of the existing playbook. For more details, see Editing playbooks.

Launching response actions

Response actions can be launched manually, automatically within a playbook, or can be configured to request the user's approval before launching within the playbook. By default, manual approval of the response action is disabled.

For more details on how to configure the manual approval of a response action launched within the playbook, see Configuring manual approval of response actions.

Launching playbooks manually

Kaspersky Next XDR Expert allows you to manually launch any playbook that matches alerts or incidents you want to respond to.

To launch a playbook manually, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

You can also launch a playbook for observables and assets if you have specified these objects when creating the playbook and when launching it.

Launching a playbook for an alert

To launch a playbook manually for an alert:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the table of alerts, click the link with the ID of the alert for which you want to launch the playbook.
3. In the Alert details window that opens, click the Select playbook button.

   The Select playbook window opens.

4. In the list of playbooks that match the alert, select the playbook you want to launch, and then click the Launch button.

   If the selected playbook is already running for this alert, in the Monitoring & reporting window that appears, do one of the following:

   • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

     The new playbook instance will be launched after the current one is completed.

   • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

     The current playbook instance will be terminated and the new one will be launched.

   • If you want to cancel the new playbook launch, click the Close button ().

   If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected alert. After the playbook is completed, you will receive a notification.

Launching a playbook for an incident

To launch a playbook manually for an incident:

1. In the main menu, go to Monitoring & reporting → Incidents, and then select the XDR incidents tab.
2. In the table of incidents, click the link with the ID of the incident for which you want to launch the playbook.
3. In the Incident details window that opens, click the Select playbook button.

   The Select playbook window opens.

4. In the list of playbooks that match the incident, select the playbook you want to launch, and then click the Launch button.

   If the selected playbook is already running for this incident, in the Monitoring & reporting window that appears, do one of the following:

   • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

     The new playbook instance will be launched after the current one is completed.

   • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

     The current playbook instance will be terminated and the new one will be launched.

   • If you want to cancel the new playbook launch, click the Close button ().

   If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected incident. After the playbook is completed, you will receive a notification.

Launching playbooks for objects specified by users

You can specify observables and assets for which a playbook must run. You have to create a playbook with the following settings:

• In the Scope list, select Alert or Incident.
• In the Operation mode list, select Manual.
• In the Algorithm section, when setting a response action, use jq expressions to specify the objects (observables or assets) for which you want the playbook to launch. These objects will be the input to the playbook when it is launched.

If you do not specify the objects in the playbook algorithm and only select them before launching the playbook, these objects will be ignored.

After the playbook is created, you can launch it for the selected objects.

To do this, you must have one of the following XDR roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.

To launch a playbook for the selected objects:

1. In the main menu, go to the Monitoring & reporting section, and then in the Alerts or Incidents section, click the ID of the alert or incident from which you want to launch the playbook.
2. In the details window that opens, click the Select playbook button.

   The Select playbook window opens.

3. Select the Select target objects before launching the playbook option, and then click the Launch button.
4. In the Target objects window that opens, select the objects from the Observables and Assets tabs for which you want to launch the playbook, and then click the Apply and launch button.

   The playbook is launched for the objects you selected.

You can view the result of the playbook from the History tab in the alert or incident details, from the playbook History tab, and from the Response history section.

For example, you write a script that is called during the executeCustomScript response action. When creating a playbook, in the Algorithm section, you write the executeCustomScript response action with the playbook input data. Then, you have to run the script for an observable with an IP type that you select when launching the playbook. The script uses the IP address that you selected as a parameter:

{

"dslSpecVersion": "1.1.0",

"version": "1",

"actionSpecVersion": "1",

"executionFlow": [

{

"action": {

"function": {

"type": "executeCustomScript",

"params": {

"commandLine": "./script.py",

"commandLineParameters": "${ \"-ip \" + ([.input.observables[] | select(.type == \"ip\")] | map(.value) | join(\",\")) }",

"workingDirectory": "/folder/with/script"

}

},

"onError": "stop"

}

},

{

"action": {

"function": {

"type": "updateBases",

"params": {

"wait": false

},

"assets": "${ [.input.assets[] | select(.Type == \"host\") | .ID] }"

}

}

}

]

}

Several objects will be an input to the playbook, and the list of IP addresses separated with commas must be an input to the script:

{

"input": {

"observables": [

{

"type": "ip",

"value": "127.0.0.1"

},

{

"type": "ip",

"value": "127.0.0.2"

},

{

"type": "md5",

"value": "29f975b01f762f1a6d2fe1b33b8e3e6e"

}

],

"assets":[

{

"AttackerOrVictim": "unknown",

"ID": "c13a6983-0c40-4986-ab30-e85e49f98114",

"InternalID": "6d831b04-00c2-44f4-b9e3-f7a720643fb7",

"KSCServer": "E5DE6B73D962B18E849DC0BF5A2BA72D",

"Name": "VIM-W10-64-01",

"Type": "host"

}

]

}

After jq expressions perform calculations on the playbook operational data, the following information is passed as command line parameters:

-ip 127.0.0.1,127.0.0.2

For a playbook expecting input data, if you specified different types of objects when creating the playbook and when launching it, or if you did not select the Select target objects before launching the playbook option, the playbook will finish with one of the following results:

• An error will occur because the playbook did not receive input data.
• The action will not be performed because the playbook contains a condition or a loop that is based on the input data.
• The result will depend on the response of the application, or service, or script that performs the action.

Launching playbooks in the Training operation mode

The Training operation mode allows you to check if the playbook is configured correctly. This can be helpful if you are planning to change the playbook operation mode to Auto.

All playbooks in the Training operation mode request the user's approval to launch.

To launch a playbook in the Training operation mode, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

The playbook in the Training operation mode cannot be launched automatically when a triggering alert or incident is detected. You can test launching the playbook in the Training operation mode in one of the following ways:

• Create an alert or incident that matches the playbook trigger.
• Edit an alert or incident that matches the playbook trigger. The alert or incident must be in a status other than Closed.

When one of the above actions is completed, the playbook requests the user's approval to launch. For more information on how to approve the playbook, see Approving playbooks or response actions.