Playbooks
Open Single Management Platform uses playbooks that allow you to automate workflows and reduce the time it takes to process alerts and incidents.
Playbooks respond to alerts or incidents according to the specified algorithm. Playbook launches an algorithm that includes a sequence of response actions that help analyze and handle alerts or incidents. You can launch the playbook manually or configure the automatic launch of the playbook you need.
The automatic launch of playbooks is performed according to the trigger that you configure when creating a playbook. A trigger defines the conditions that an alert or incident must meet to launch this playbook automatically.
One playbook scope is limited to only alerts or only incidents.
Note that the playbook can only belong to one tenant and it is automatically inherited by all child tenants of the parent tenant, including child tenants that will be added after the playbook is created. You can disable playbook inheritance by child tenants when creating or editing a playbook.
In Open Single Management Platform, there are two types of playbooks:
- Predefined playbooks
Predefined playbooks are created by Kaspersky experts. These playbooks are marked with the [KL] prefix in the name and cannot be edited or deleted.
By default, predefined playbooks operate in the Training operation mode. For more information, refer to the Predefined playbooks section.
- Custom playbooks
You can create and configure playbooks yourself. When creating a custom playbook, you need to specify a playbook scope (alert or incident), a trigger for launching the playbook automatically, and an algorithm for responding to threats. For details about creating a playbook, see Creating playbooks.
Operation modes
You can configure both automatic and manual launch of playbooks. The way to launch the playbook depends on the selected operation mode.
These are the following types of operation modes:
- Auto. A playbook in this operation mode automatically launches when corresponding alerts or incidents are detected.
- Training. When corresponding alerts or incidents are detected, a playbook in this operation mode requests the user's approval to launch.
- Manual. A playbook in this operation mode can only be launched manually.
User roles
You grant user rights to manage playbooks by assigning user roles to the users.
The table below shows access rights for managing playbooks and performing the user actions.
User role | User right | ||||
---|---|---|---|---|---|
Read | Write | Delete | Execute | Response confirmation | |
Main administrator | |||||
SOC administrator | |||||
Junior analyst | |||||
Tier 1 analyst | |||||
Tier 2 analyst | |||||
SOC manager | |||||
Approver | |||||
Observer | |||||
Tenant administrator |