Editing incidents by using playbooks

Expand all | Collapse all

Kaspersky Next XDR Expert allows you to edit incidents manually or by using playbooks. When creating a playbook, you can configure the playbook algorithm to edit the incident properties.

To edit an incident by using a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.

You cannot edit incidents that have the Closed status.

You can edit the following incident properties by using the playbook:

• Assignee
• Incident workflow status
• Incident type
• Comment
• Description
• Priority
• ExternalReference attribute
• Additional data attribute

Below are example expressions you can use in the playbook to edit incident properties. You can specify these expressions in the Show code section of the visual editor.

• Assigning an incident to a user

  {

  "action": {

  "function": {

  "type": "assignIncident",

  "params": {

  "assignee": {

  "id": "user_ID"

  }

  }

  }

  }

  }

  When you edit an assignee in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident assignee, you can search the corresponding record by the user's name, and the ID will be specified in the algorithm.

• Assigning an incident to a user group

  {

  "action": {

  "function": {

  "type": "assignIncident",

  "params": {

  "group": {

  "id": "GROUP_ID"

  }

  }

  }

  }

  }

  When you edit an assignee in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident assignee, you can search the corresponding record by the name of a user group, and the ID will be specified in the algorithm.

• Unassigning an incident from a user

  {

  "action": {

  "function": {

  "type": "assignIncident",

  "params": {

  "assignee": {

  "id": "nobody"

  }

  }

  }

  }

  }

• Unassigning an incident from a user group

  {

  "action": {

  "function": {

  "type": "assignIncident",

  "params": {

  "group": {

  "id": "nobody"

  }

  }

  }

  }

  }

• Changing a status of the incident workflow

  To change the incident workflow status to Open:

  {

  "action": {

  "function": {

  "type": "setIncidentStatus",

  "params": {

  "typeId": "af9dd279-fc30-4596-963b-942f79920375",

  "statusId": "4db36105-5223-4078-b72c-e9e9983b0987"

  }

  }

  }

  }

  To change the incident workflow status to Closed:

  {

  "action": {

  "function": {

  "type": "setIncidentStatus",

  "params": {

  "statusId": "INCIDENT_STATUS_ID",

  "statusResolution": "truePositive"

  }

  }

  }

  }

  You can also specify the following values for the statusResolution parameter: falsePositive and lowPriority.

  To change the incident workflow status to a custom status:

  {

  "action": {

  "function": {

  "type": "setIncidentStatus",

  "params": {

  "typeId": "22222222-2222-2222-2222-222222222222",

  "statusId": "11111111-1111-1111-1111-111111111111"

  }

  }

  }

  }

  When you edit an incident workflow status in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident workflow status, you can search the corresponding record by the name, and the ID will be specified in the algorithm.

• Changing the incident type

  {

  "action": {

  "function": {

  "type": "setIncidentType",

  "params": {

  "id": "INCIDENT_TYPE_UUID"

  }

  }

  }

  }

  When you edit an incident type in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident type, you can search the corresponding record by the name, and the ID will be specified in the algorithm.

• Adding a comment to an incident

  {

  "action": {

  "function": {

  "type": "addCommentToIncident",

  "params": {

  "text": "${ \"New comment for incident with ID: \\(incident.ID)\" }"

  }

  }

  }

  }

• Editing the incident description

  {

  "action": {

  "function": {

  "type": "setIncidentDescription",

  "params": {

  "description": "${ incident.ID | tostring | \"New comment for incident with ID: \" + . }",

  "mode": "replace"

  }

  }

  }

  }

  To append to the existing description, specify the append value for the mode parameter.

• Changing the incident priority

  {

  "action": {

  "function": {

  "type": "setIncidentPriority",

  "params": {

  "priority": "critical"

  }

  }

  }

  }

  You can also specify the following values for the priority parameter: high, medium, low.

• Editing the ExternalReference attribute

  {

  "action": {

  "function": {

  "type": "setIncidentExternalRef",

  "params": {

  "externalRef": "${ \"new extReference value\" }",

  "mode": "replace"

  }

  }

  }

  }

  To append to the ExternalReference attribute, specify the append value for the mode parameter.

• Editing the Additional data attribute

  {

  "action": {

  "function": {

  "type": "addIncidentAdditionalData",

  "params": {

  "data": "${ {\"customKey\": \"customValue\"} }",

  "mode": "replace"

  }

  }

  }

  }

  To append to the Additional data attribute, specify the append value for the mode parameter.