Investigation. Get parent process chain events and link them

Download the archive with the scripts by clicking this link. In the archive you will find the playbooks folder, which contains:
- The docs folder, which includes DOCX files describing how the playbooks work;
- The code folder, which includes JSON files with the playbooks definitions;
- The scripts folder, which includes Python scripts requiered for the playbooks to run.
Generate an API token for all API methods under api/v3/kuma.
In kuma_events.py, specify the values of the following constants:
- HOST — enter the Kaspersky Next XDR Expert FQDN or IP address;
- TOKEN — enter the API token generated on the previous step.
In xdr_link_events.py, specify the values of the following constants:
- HOST — enter the Kaspersky Next XDR Expert server FQDN or IP address;
- user — enter your user name;
- password — enter your password.
Copy kuma_events.py, xdr_link_events.py and requirements.txt to a directory on a remote client computer.
The default script directory is /opt/xdr_scripts. If you choose a different directory for the scripts, you must change the value of the workdir parameter in the Input field in the additional settings of each affected advanced playbook.
On the remote client computer, navigate to the folder containing requirements.txt and execute the following command to install dependencies:
pip install -r requirements.txt

.OriginalEvents | map(select(.Type == 3)) | map(.ExternalID) - ["R050_01", "R050_04", "R050_05", "R050_07", "R058_03", "R061_01", "R061_03", "R061_05", "R062_01", "R062_03", "R063_01", "R063_03", "R076_05", "R082_01", "R082_02", "R082_09", "R082_12", "R083_01", "R083_03", "R083_05", "R083_07", "R083_09", "R083_10", "R083_13", "R084_01", "R084_02", "R084_04", "R087_04", "R089_05", "R089_07", "R093_03", "R093_14", "R093_18", "R093_31", "R098_01", "R098_02", "R099_01", "R099_02", "R099_03", "R099_04", "R099_05", "R099_07", "R100_01", "R100_03", "R101_01", "R101_03", "R102_02", "R103_02", "R104_01", "R105_01", "R105_02", "R105_03", "R106_02", "R107_02", "R107_03", "R107_04", "R108_02", "R109_02", "R110_04", "R110_05", "R110_06", "R110_07", "R111", "R150_01", "R150_02", "R151", "R152_01", "R152_02", "R152_03", "R152_04", "R152_05", "R152_06", "R152_07", "R152_09", "R152_10", "R152_11", "R152_12", "R152_13", "R154_03", "R154_06", "R154_09", "R211_01", "R220_02", "R220_04", "R220_05", "R220_06", "R221_01", "R221_04", "R222_02", "R222_03", "R222_04", "R223_02", "R223_03", "R224_02", "R224_03", "R224_08", "R224_12", "R224_13", "R224_14", "R224_17", "R224_18", "R224_19", "R224_20", "R224_21", "R225_03", "R225_05", "R226_02", "R226_03", "R227_02", "R228_01", "R228_02", "R229_01", "R230_02", "R231_02", "R231_03", "R231_04", "R232", "R233_01", "R233_04", "R240_01", "R240_02", "R240_05", "R250", "R270", "R280_01", "R280_02", "R280_03", "R280_04", "R282_01", "R282_02", "R283_01", "R283_02", "R283_03", "R285_01", "R285_02", "R286_02", "R287_01", "R287_02", "R288_01", "R288_02", "R288_03", "R289_02", "R290_01", "R290_02", "R290_03", "R290_04", "R290_05", "R290_06", "R290_07", "R290_08", "R290_09", "R291_01", "R291_02", "R291_03", "R291_04", "R291_05", "R291_06", "R292_01", "R292_02", "R293_01", "R293_02", "R293_03", "R293_04", "R294_01", "R294_03", "R294_04", "R295_01", "R295_02", "R296_01", "R296_02", "R296_03", "R296_04", "R296_05", "R296_06", "R296_07", "R296_08", "R296_09", "R296_10", "R296_11", "R296_12", "R296_13", "R296_14", "R296_15", "R296_16", "R296_17", "R296_18", "R296_19", "R296_22", "R297", "R298", "R299", "R300_01", "R300_02", "R300_03", "R300_04", "R301_01", "R301_02", "R302_01", "R302_03", "R320", "R321", "R330", "R350_02", "R350_04", "R350_07", "R410_03", "R411_01", "R412_01", "R414_01", "R415_01", "R418_02", "R419_01", "R419_02", "R419_03", "R419_04", "R422_01", "R423_02", "R423_03", "R427_01", "R427_04", "R432_02", "R436_02", "R438_01", "R438_02", "R441", "R442", "R050_06", "R058_04", "R061_10", "R082_03", "R082_04", "R082_13", "R083_06", "R083_12", "R089_08", "R099_08", "R152_08", "R209_05", "R211_02", "R224_06", "R224_07", "R224_10", "R224_15", "R231_05", "R231_06", "R231_07", "R231_08", "R231_10", "R282_03", "R286_01", "R286_03", "R286_04", "R286_05", "R302_04", "R302_05", "R302_06", "R405_01", "R405_02", "R405_04", "R412_02", "R413_01", "R416_01", "R418_01", "R422_02", "R423_01", "R427_02", "R429_01", "R430_01", "R433_01", "R433_02", "R433_03", "R433_04", "R433_06", "R434_01", "R434_02", "R434_03", "R434_04", "R435_05", "R436_01", "R436_03", "R443"] | length == 0

{

"dslSpecVersion": "1.1.0",

"version": "1",

"actionsSpecVersion": "1",

"input": "${ {\"workdir\": \"/opt/xdr_scripts\", \"timewindow\": \"86400\"} }",

"executionFlow": [

{

"decision": {

"conditions": [

{

"name": "deviceVendor is Unix",

"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .BaseEvents[0] | .DeviceVendor == \"Unix\" }",

"steps": [

{

"action": {

"function": {

"type": "executeCustomScript",

"params": {

"commandLine": "${ [ \"./kuma_events.py \" , \"parent_process_chain_linux \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationProcessID | tostring) , \" \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceHostName), \" \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",

"workingDirectory": "${ .workdir }",

"stdIn": ""

}

},

"output": {

"filter": "${ {parent_process_chain: .} }",

"action": "merge"

},

"onError": "stop"

}

},

{

"action": {

"function": {

"type": "addCommentToAlert",

"params": {

"text": "${ \"Parent process chain:\n\" + ( [ .parent_process_chain.details.stdOut | fromjson | reverse | to_entries[] | \"*\"*4*.key + \"└──> \" + (.value.DestinationUserName) + \": (\" + (.value.DestinationProcessID | tostring) + \") \" + (.value.DestinationProcessName) ] | join(\"\n\") ) }"

}

},

"onError": "stop"

}

]

}

]

}

},

{

"decision": {

"conditions": [

{

"name": "DeviceVendor is Microsoft",

"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .BaseEvents[0] | .DeviceVendor == \"Microsoft\" }",

"steps": [

{

"action": {

"function": {

"type": "executeCustomScript",

"params": {

"commandLine": "${ [ \"./kuma_events.py \" , \"parent_process_chain_windows \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceCustomString5 | tostring) , \" \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceHostName), \" \" , ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Timestamp | tostring) , \" \", (.timewindow) ] | add }",

"workingDirectory": "${ .workdir }",

"stdIn": ""

}

},

"output": {

"filter": "${ {parent_process_chain: .} }",

"action": "merge"

},

"onError": "stop"

}

},

{

"action": {

"function": {

"type": "addCommentToAlert",

"params": {

"text": "${ \"Parent process chain:\n\" + ( [ .parent_process_chain.details.stdOut | fromjson | reverse | to_entries[] | \"*\"*4*.key + \"└──> \" + (.value.DestinationUserName) + \": (\" + (.value.DeviceCustomString5 | tostring) + \") \" + (.value.DestinationProcessName) ] | join(\"\n\") ) }"

}

},

"onError": "stop"

}

]

}

]

}

},

{

"action": {

"function": {

"type": "executeCustomScript",

"params": {

"commandLine": "${ [ \"./xdr_link_events.py \" , alert.InternalID, \" '\", .parent_process_chain.details.stdOut, \"'\" ] | add }",

"workingDirectory": "${ .workdir }",

"stdIn": ""

}

},

"onError": "stop"

}

]

}