Creating playbooks

You can create a playbook to automate threat analysis and threat response.

To create a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

Kaspersky Next XDR Expert also allows you to create a new playbook that will meet your needs, based on an existing one. For more details, refer to Customizing playbooks.

To create a new playbook:

  1. In the main menu, go to Monitoring & reportingPlaybooks.
  2. Click the Create button.

    The Create playbook window opens with the visual editor work area on the left and the Playbook settings pane on the right. The visual editor allows you to build and visualize the playbook execution flow, and the relationship between the steps involved in playbook creation.

    Based on the actions that you perform in the visual editor, the DSL schema of the playbook algorithm is generated. The changes you make in the visual editor working area are displayed in code, and vice versa. If necessary, you can open the code editor by clicking the Show code button in the toolbar.

  3. In the Playbook settings pane, specify the following settings:
    • In the Tenant and inheritance field, select a parent tenant and child tenants for which the playbook should be launched.

      All child tenants of the selected parent tenant will automatically inherit this playbook. To disable playbook inheritance, clear the check box next to a required child tenant. Playbook inheritance will be disabled for this tenant as well as for its subtenants, if any.
      If you select a child tenant, its subtenants will be selected automatically.

    • In the Name field, enter the playbook name.

      Note that the playbook name must be unique within a tenant and cannot be more than 255 characters long.

    • In the Scope list, select one of the following options:
      • Alert. The playbook will be launched only for alerts. This option is selected by default.
      • Incident. The playbook will be launched only for incidents.
    • In the Operation mode list, select one of the following options:
      • Auto. A playbook in this operation mode automatically launches when corresponding alerts or incidents are detected.
      • Training. When corresponding alerts or incidents are detected, a playbook in this operation mode requests the user's approval to launch.
      • Manual. A playbook in this operation mode can only be launched manually.
    • If necessary, in the Tags field, specify up to 30 tags. You can filter playbooks by using the assigned tags.

      Note that the maximum tag length is 50 characters.

    • If necessary, in the Description field, enter a playbook description or a comment.
    • In the When launching several playbook instances at the same time drop-down list, choose an action to perform if two or more playbook instances are launching at the same time:
      • Add new playbook instances to the queue. A new playbook instance will be launched after the current one is completed. By default, this action is selected.
      • Terminate current execution and launch a new instance. The execution of the current playbook instance will be terminated. After that, a new playbook instance is launched.
      • Do not launch new playbook instances. A new playbook instance will not be launched. The execution of the current playbook instance will continue.

      The When launching several playbook instances at the same time list is displayed only if the Auto operation mode is selected.

    • By default, the playbook will only be launched for new alerts or incidents that match the trigger.

      If you want to launch a new playbook for existing alerts or incidents that match the trigger, select the Launch the playbook for all matching alerts or incidents. Note that the system may be overloaded check box.

    • If necessary, in the Additional settings section, specify the following playbook parameters:
      • Playbook timeout—The maximum execution time of the playbook. By default, the value is 24h. The maximum value is 48h.

        If you want to create policies to be further applied in response actions, enable the Use timeout policies for the response action toggle switch, and then add the policies.

        After you disable the toggle switch, the added policies are deleted.

      • Input—A jq expression to modify incoming data of the playbook before execution.
      • Output—A jq expression to modify the output data of the playbook after execution.
      • Change method—How to change the output data. Select whether to merge current and new data or overwrite current data with new data by selecting the Merge or Overwrite option.

      The other additional settings are predefined and cannot be changed:

      • Playbook version—Version of the playbook. May be required to identify the playbook in telemetry more accurately.
      • DSL version—DSL schema version.
      • Action version—Response actions schema version with the description of the response function input parameters.
  4. In the visual editor work area, configure the playbook trigger and algorithm. Click the Trigger step, and then in the trigger settings pane that opens, specify the condition for the automatic launch of the playbook.

    If you select the Manual operation mode, trigger settings are unavailable.

    To describe the trigger condition, use jq expressions. For more information about jq expressions, refer to jq Manual.

    Depending on the option you select in the Scope list when creating or editing a playbook, alert data model or incident data model is used.

    For example, to filter alerts or incidents by critical severity, specify the following expression:

    .Severity == "critical"

    You can also specify complex expressions to filter alerts or incidents.

    For example, to filter critical alerts or incidents by rule name, specify the following expression:

    (.Severity == "critical") and (.Rules[] |.Name | contains("Rule_1"))

    where Rules[] |.Name defines the name of the triggered rule.

    Validation of jq expressions is configured. If you specify an incorrect expression when configuring the playbook trigger, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.

  5. If you want to view alerts or incidents that match the playbook trigger, in the Trigger matching section, click the Find button. By default, the last 10 modified alerts and incidents are displayed. If you want to change the value, open the drop-down list, and then select the required value.

    You can also request a full list of alerts or incidents. To do this, in the Trigger section, enter true, and then click the Find button.

    The full list of alerts or incidents is displayed.

  6. Specify the playbook algorithm steps.

    You can copy an algorithm from another playbook. To do this, in the toolbar, click the Copy algorithm button, then in the window that opens, select a playbook from which to copy the algorithm, and then click OK.

    Validation of jq expressions and JSON syntax is configured. If you specify an incorrect expression when configuring the playbook algorithm, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.

    To add an algorithm step, do the following:

    1. Hover the mouse cursor over the step from which a relation with the new step is to be built.

      If you are adding a step for the first time, you can hover the mouse cursor over the Trigger step only.

    2. Click and hold the white dot sign (unloc_white_ dot) that displays, and then start drawing an arrow.
    3. Release the mouse cursor, and then in the menu that opens, select the step.

      The selected step is displayed in the visual editor.

    4. Click the step to configure its settings. For more details, refer to Configuring playbook execution steps in visual editor.

    Alternately, you can right-click any part of the visual editor work area to invoke the menu, and then select the step you want to add. In this case, after adding the step, you have to build the relationships by drawing arrows between the required steps. If no relationships are built, you can only save the playbook as a draft.

    If algorithm steps are not added, you can save the playbook only as a draft.

  7. Save the playbook in one of the following ways:
    • By clicking the Publish button. The saved playbook is ready to use and displayed in the playbooks table, with the Active status.
    • By clicking the Create as draft button. This allows you to create a playbook, by specifying only its name and the tenant to which it belongs. The playbook is displayed in the list of playbooks with the Draft status. You can open it and continue editing.

      When saving a playbook as a draft, validation is performed, and the errors are highlighted but ignored.
      You can save the playbook only as a draft when the relationships between the execution steps and the trigger are not built, the mandatory settings are not configured, or you specified invalid parameters.

A new playbook is created and displayed in the list of playbooks.

Page top