Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Enrichment from playbook

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Enrichment from playbook

May 15, 2024

ID 265935

Get as PDF

After you configure integration between Kaspersky Next XDR Expert and Kaspersky TIP, you can obtain information about the reputation of observables related to an alert or incident from Kaspersky TIP or Kaspersky OpenTIP, and then enrich the obtained data.

You can obtain information only for observables with the following types: domain, URL, IP, MD5, SHA256.

You can configure data enrichment to run automatically. To do this, when creating or editing a playbook, in the Algorithm section you must specify the following:

  1. Data source.

    You can specify one of the following services:

  2. Limit for data returned by Kaspersky TIP or Kaspersky OpenTIP, if necessary.

    You can specify one of the following values:

    • All records
    • Top100

      This value is set by default.

  3. Observable for which the playbook requests data from Kaspersky TIP or Kaspersky OpenTIP.

In the playbook algorithm, you can use the output enrichment parameters that are displayed in the fields that Kaspersky TIP returns.

You can view the enrichment result for all observables related to an alert or incident in one of the following ways:

  • From the alert or incident details
  • From a response history
  • From a playbook

To view an enrichment result:

  1. In the main menu, go to the Monitoring & reporting section, and then do one of the following:
    • If you want to view the result from an alert or incident details, go to the Alerts or Incidents section, and then click the ID of the alert or incident for which the enrichment was performed. In the window that opens, go to the History tab, and then select the Response history tab.
    • If you want to view the result from a response history, go to the Response history section.
    • If you want to view the result from a playbook, go to the Playbooks section, and then click the name of the playbook for which the enrichment was performed. In the window that opens, go to the History tab.
  2. In the Action status column, click the status of the playbook for which you want to view the enrichment result.

You can also obtain the information from Kaspersky TIP, and then enrich data manually on the Observables tab in alert or incident details.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.