Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Playbook algorithm

ResponseFunction parameters

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

ResponseFunction parameters

May 15, 2024

ID 270357

Get as PDF

Parameter ID

Description

responseAction

Response action name.

params

The parameter allows you to describe the parameters of a response action you want to launch. You can specify the parameter as a jq expression or as an object. Parameters of the response actions are described in the table below.

assets

The parameter allows you to use a jq expression or string array to specify a list of assets for which you want to launch a response action. The assets parameter is required for response actions with assets and is not applicable for response actions without assets.

Response action parameters

Response action name

Parameters

updateBases

Update databases response action. Possible parameters:

  • wait. Possible values:
    • true
    • false

    To launch this response action, you need to specify the asset parameter of the response function.

avScan

Run malware scan response action. Possible parameters:

  • wait. Possible values:
    • true
    • false
  • scope. Possible values:
    • full—Perform a full scan of the device where the alert is detected.
    • critical—Perform a scan of the kernel memory, running processes, and disk boot sectors.
    • selective—Perform a scan of the specified files. To specify a path to the files, use the path parameter.
  • allowScanNetworkDrives. Possible values:
    • true
    • false

    By default, the value is false.

    This option is available only if you want to perform a full scan.

    Note that scanning network drives can overload the system.

  • path—A jq expression or a string with a path to the files you want to scan. You can also specify multiple file paths.

To launch this response action, you need to specify the asset parameter of the response function.

moveHostsToAdministrationGroup

Move to group response action. Possible parameters:

  • group—Open Single Management Platform administration group path. For examples, HQ/OrgUnit1.

quarantineFile

Move to quarantine response action. Possible parameters:

  • path—Path to the file you want to quarantine.
  • md5—MD5 hash of the file.
  • sha256—SHA256 hash of the file.

    You can specify the response action parameters in one of the following ways:

  • Specify the full path to the file you want to quarantine. In this case, you do not need to specify an MD5 hash or a SHA256 hash.
  • Specify the file path and the file hash (MD5 or SHA256).

killProcess

Terminate process response action. Possible parameters:

  • pid—Process identifier.
  • path—Path to the file you want to quarantine.
  • md5—MD5 hash of the file.
  • sha256—SHA256 hash of the file.

    You can specify the response action parameters in one of the following ways:

  • To terminate the process for one asset, specify one of the following parameters:
    • PID
    • Full path to the file
    • File hash (MD5 or SHA256)
  • To terminate the process for several assets, specify one of the following parameters:
    • Full path to the file
    • File hash (MD5 or SHA256)

changeAuthorizationStatus

Change authorization status response action. Possible parameter:

  • authorized

netIsolateOn

Enable network isolation response action. Possible parameters:

  • isolationTimeoutSec—Network isolation period. You can specify this parameter in hours or days.

    The minimum value in hours is 5 hours, the maximum is 9999 hours.

    The minimum value in days is 1 day, the maximum is 416 days.

  • exclusions—Exclusion rules. You can specify one or more exclusion rules.
    • remoteIPV4Address—Network traffic from the specified IPv4 address will be excluded from the block. For example, 192.168.2.15.
    • remoteIPV6Address—Network traffic from the specified IPv6 address will be excluded from the block. For example, 2001:0db8:0000:0000:0000:ff00:0042.
    • remotePortRange—Interval of remote ports.
    • localPortRange—Interval of local ports.

    If the remotePortRange and localPortRange are not specified, the exclusion rule applies to all ports.

  • exclusionsConflictBehavior—Defines the behavior if there is a conflict between different exclusion rules. Possible parameters:
    • replace
    • skip
    • fail

netIsolateOff

Disable network isolation response action.

To launch this response action, you need to specify the asset parameter of the response function.

executeCommand

Run executable file response action. Possible parameters:

  • path—Path to the custom script or executable file that you want to run.
  • workingDirectory—Path to the working directory.
  • commandLineParameters—Command-line parameters that you want to apply to the command.

addFilePreventionRules

Add prevention rule response action. Possible parameters:

  • md5—MD5 hash array.
  • sha256—SHA256 hash array.

To launch this response action, you need to specify the asset parameter of the response function.

deleteFilePreventionRules

Delete prevention rule response action. Possible parameters:

  • md5—MD5 hash array.
  • sha256—SHA256 hash array.

To launch this response action, you need to specify the asset parameter of the response function.

resetFilePreventionRules

Delete all prevention rules.

To launch this response action, you need to specify the asset parameter of the response function.

assignKasapGroup

Assign KASAP group response action. Possible parameters:

groupId—KASAP group identifier.

addToLDAPGroup

Add user to security group response action. Possible parameters:

groupDN—Distinguished name (DN) of the LDAP group.

removeFromLDAPGroup

Delete user from security group response action. Possible parameters:

groupDN—Distinguished name (DN) of the LDAP group.

blockLDAPAccount

Lock account response action.

To launch this response action, you need to specify the asset parameter of the response function.

resetLDAPPassword

Reset password response action.

To launch this response action, you need to specify the asset parameter of the response function.

executeCustomScript

Execution of custom scripts. Possible parameters:

  • commandLine—Command to run.
  • commandLineParameters—Command-line parameters that you want to apply to the command.
  • stdIn—Standard input stream. Use this parameter if you need to add new data to the response action.
  • workingDirectory—Path to the working directory.

iocsEnrichment

Data enrichment. Possible parameters:

  • observables—A jq expression with an array of observables that you want to enrich.
  • source—Source of data. Possible values:
    • OpenTIP
    • TIP
  • fullEnrichment—Defines the number of records to be requested. Possible values:
    • true—Request all records from the source.
    • false—Request the top 100 records from the source.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.