The "Response. Block account and reset password via confirmation" predefined playbook allows you to respond to potentially compromised accounts by blocking the selected account in Active Directory, resetting its password, and initiating endpoint remediation actions after explicit confirmation in the alert. It combines account containment with AV scans and session termination on the affected hosts to reduce the risk of further attacker activity.
Before using the playbook, you must download the scripts and dependencies list, which are required for playbook to work correctly.
Click here to see how to download and prepare the scripts
playbooks folder, which contains:docs folder, which includes DOCX files describing how the playbooks work;code folder, which includes JSON files with the playbooks definitions;scripts folder, which includes Python scripts requiered for the playbooks to run.api/v3/kuma.kuma_events.py, specify the values of the following constants:HOST — enter the Kaspersky Next XDR Expert FQDN or IP address;TOKEN — enter the API token generated on the previous step.xdr_link_events.py, specify the values of the following constants:HOST — enter the Kaspersky Next XDR Expert server FQDN or IP address;user — enter your user name;password — enter your password.kuma_events.py, xdr_link_events.py and requirements.txt to a directory on a remote client computer.The default script directory is /opt/xdr_scripts. If you choose a different directory for the scripts, you must change the value of the workdir parameter in the Input field in the additional settings of each affected advanced playbook.
requirements.txt and execute the following command to install dependencies:pip install -r requirements.txt
Furthermore, you must prepare the environment as follows:
To create a playbook, refer to the "Creating playbooks" article.
Click here to see the full expression that the playbook trigger contains
incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) | map(select(.Type == 3)) | map(.ExternalID) - ["R050_01", "R050_04", "R050_05", "R050_07", "R058_03", "R061_01", "R061_03", "R061_05", "R062_01", "R062_03", "R063_01", "R063_03", "R076_05", "R082_01", "R082_02", "R082_09", "R082_12", "R083_01", "R083_03", "R083_05", "R083_07", "R083_09", "R083_10", "R083_13", "R084_01", "R084_02", "R084_04", "R087_04", "R089_05", "R089_07", "R093_03", "R093_14", "R093_18", "R093_31", "R098_01", "R098_02", "R099_01", "R099_02", "R099_03", "R099_04", "R099_05", "R099_07", "R100_01", "R100_03", "R101_01", "R101_03", "R102_02", "R103_02", "R104_01", "R105_01", "R105_02", "R105_03", "R106_02", "R107_02", "R107_03", "R107_04", "R108_02", "R109_02", "R110_04", "R110_05", "R110_06", "R110_07", "R111", "R150_01", "R150_02", "R151", "R152_01", "R152_02", "R152_03", "R152_04", "R152_05", "R152_06", "R152_07", "R152_09", "R152_10", "R152_11", "R152_12", "R152_13", "R154_03", "R154_06", "R154_09", "R211_01", "R220_02", "R220_04", "R220_05", "R220_06", "R221_01", "R221_04", "R222_02", "R222_03", "R222_04", "R223_02", "R223_03", "R224_02", "R224_03", "R224_08", "R224_12", "R224_13", "R224_14", "R224_17", "R224_18", "R224_19", "R224_20", "R224_21", "R225_03", "R225_05", "R226_02", "R226_03", "R227_02", "R228_01", "R228_02", "R229_01", "R230_02", "R231_02", "R231_03", "R231_04", "R232", "R233_01", "R233_04", "R240_01", "R240_02", "R240_05", "R250", "R270", "R280_01", "R280_02", "R280_03", "R280_04", "R282_01", "R282_02", "R283_01", "R283_02", "R283_03", "R285_01", "R285_02", "R286_02", "R287_01", "R287_02", "R288_01", "R288_02", "R288_03", "R289_02", "R290_01", "R290_02", "R290_03", "R290_04", "R290_05", "R290_06", "R290_07", "R290_08", "R290_09", "R291_01", "R291_02", "R291_03", "R291_04", "R291_05", "R291_06", "R292_01", "R292_02", "R293_01", "R293_02", "R293_03", "R293_04", "R294_01", "R294_03", "R294_04", "R295_01", "R295_02", "R296_01", "R296_02", "R296_03", "R296_04", "R296_05", "R296_06", "R296_07", "R296_08", "R296_09", "R296_10", "R296_11", "R296_12", "R296_13", "R296_14", "R296_15", "R296_16", "R296_17", "R296_18", "R296_19", "R296_22", "R297", "R298", "R299", "R300_01", "R300_02", "R300_03", "R300_04", "R301_01", "R301_02", "R302_01", "R302_03", "R320", "R321", "R330", "R350_02", "R350_04", "R350_07", "R410_03", "R411_01", "R412_01", "R414_01", "R415_01", "R418_02", "R419_01", "R419_02", "R419_03", "R419_04", "R422_01", "R423_02", "R423_03", "R427_01", "R427_04", "R432_02", "R436_02", "R438_01", "R438_02", "R441", "R442", "R050_06", "R058_04", "R061_10", "R082_03", "R082_04", "R082_13", "R083_06", "R083_12", "R089_08", "R099_08", "R152_08", "R209_05", "R211_02", "R224_06", "R224_07", "R224_10", "R224_15", "R231_05", "R231_06", "R231_07", "R231_08", "R231_10", "R282_03", "R286_01", "R286_03", "R286_04", "R286_05", "R302_04", "R302_05", "R302_06", "R405_01", "R405_02", "R405_04", "R412_02", "R413_01", "R416_01", "R418_01", "R422_02", "R423_01", "R427_02", "R429_01", "R430_01", "R433_01", "R433_02", "R433_03", "R433_04", "R433_06", "R434_01", "R434_02", "R434_03", "R434_04", "R435_05", "R436_01", "R436_03", "R443"] | length == 0
Functions used by the playbook: blockLDAPAccount, resetLDAPPassword, avScan, killProcess.
During execution, this playbook adds a comment to the alert and prompts you to confirm whether the response actions should be applied to the selected account and related assets. If you confirm, the playbook performs the following response actions in sequence:
Click here to see the sequence of response actions that the playbook algorithm contains
{
"dslSpecVersion": "1.1.0",
"version": "1",
"actionsSpecVersion": "1",
"executionFlow": [
{
"parallel": {
"branches": [
{
"name": "block and reset password for accounts in loop",
"steps": [
{
"decision": {
"conditions": [
{
"name": "The first alert contains assets with type user",
"condition": "${ [ incident.Alerts[0] | .Assets[]? | select(.Type == \"user\") | .ID] | any }",
"steps": [
{
"action": {
"function": {
"type": "blockLDAPAccount",
"assets": "${[ incident.Alerts[0] | .Assets[]? | select(.Type == \"user\") | .ID]}"
},
"manualApprove": true,
"onError": "continue"
}
},
{
"action": {
"function": {
"type": "resetLDAPPassword",
"assets": "${[ incident.Alerts[0] | .Assets[]? | select(.Type == \"user\") | .ID]}"
},
"manualApprove": true,
"onError": "continue"
}
}
]
}
]
}
}
]
},
{
"name": "AV scan child and parent processes files",
"steps": [
{
"decision": {
"conditions": [
{
"name": "The first alert contains correlation event with defined child process name",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DestinationProcessName!=\"\" }",
"steps": [
{
"action": {
"function": {
"type": "avScan",
"params": {
"scope": {
"area": "selective",
"paths": [
"${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DestinationProcessName }"
]
},
"wait": false
},
"assets": "${ [ incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID ] }"
},
"onError": "continue"
}
}
]
},
{
"name": "The first alert contains correlation event with defined parent process name",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .SourceProcessName!=\"\" }",
"steps": [
{
"action": {
"function": {
"type": "avScan",
"params": {
"scope": {
"area": "selective",
"paths": [
"${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .SourceProcessName }"
]
},
"wait": false
},
"assets": "${ [ incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID ] }"
},
"onError": "continue"
}
}
]
}
]
}
}
]
},
{
"name": "Kill process by pid",
"steps": [
{
"decision": {
"conditions": [
{
"name": "Linux. The first alert contains correlation event with defined child process ID",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DestinationProcessID != \"\" and (.BaseEvents[0] | .DeviceVendor == \"Unix\") }",
"steps": [
{
"action": {
"function": {
"type": "killProcess",
"params": {
"pid": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DestinationProcessID }"
},
"assets": "${ [incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID] }"
},
"manualApprove": true,
"onError": "continue"
}
}
]
},
{
"name": "Linux. The first alert contains correlation event with defined parent process ID",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .SourceProcessID!=\"\" and (.BaseEvents[0] | .DeviceVendor == \"Unix\") }",
"steps": [
{
"action": {
"function": {
"type": "killProcess",
"params": {
"pid": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .SourceProcessID }"
},
"assets": "${ [incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID] }"
},
"manualApprove": true,
"onError": "continue"
}
}
]
},
{
"name": "Windows. The first alert contains correlation event with defined child process ID",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DeviceCustomString5 != \"\" and (.BaseEvents[0] | .DeviceVendor == \"Microsoft\") }",
"steps": [
{
"action": {
"function": {
"type": "killProcess",
"params": {
"pid": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DeviceCustomString5 }"
},
"assets": "${ [incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID] }"
},
"manualApprove": true,
"onError": "continue"
}
}
]
},
{
"name": "Windows. The first alert contains correlation event with defined parent process ID",
"condition": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DeviceCustomString3!=\"\" and (.BaseEvents[0] | .DeviceVendor == \"Microsoft\") }",
"steps": [
{
"action": {
"function": {
"type": "killProcess",
"params": {
"pid": "${ [ incident.Alerts[0] | .OriginalEvents[] | select(.Type==3) ][0] | .DeviceCustomString3 }"
},
"assets": "${ [incident.Alerts[0] | .Assets[]? | select(.Type==\"host\") | .ID] }"
},
"manualApprove": true,
"onError": "continue"
}
}
]
}
]
}
}
]
}
]
}
}
]
}