Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Creating playbooks

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Creating playbooks

May 15, 2024

ID 249267

Get as PDF

You can create a playbook to automate threat analysis and threat response.

To create a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

Kaspersky Next XDR Expert also allows you to create a new playbook that will meet your needs, based on an existing one. For details, refer to Customizing playbooks.

To create a new playbook:

  1. In the main menu, go to Monitoring & reportingPlaybooks.
  2. Click the Create playbook button.

    The Create playbook window opens.

  3. In the Tenant field, select a parent tenant and child tenants for which the playbook should be launched.

    All child tenants of the selected parent tenant will automatically inherit this playbook. To disable the playbook inheritance, clear the check box next to any child tenants. The playbook inheritance will be disabled for all child tenants.

    If you select a child tenant, all parent tenants will be selected automatically.

  4. In the Name field, enter the playbook name.

    Note that the playbook name must be unique and cannot be more than 255 characters long.

    The playbook name must not contain the following special characters: < > ".

  5. If necessary, in the Tags field, specify up to 30 tags. You can filter playbooks by using the assigned tags.

    Note that the maximum tag length is 50 characters.

  6. If necessary, in the Description field, enter a playbook description or a comment.
  7. In the Scope list, select one of the following options:
    • Alert. The playbook will be launched only for alerts.
    • Incident. The playbook will be launched only for incidents.
  8. In the Operation mode list, select one of the following options:
    • Auto. A playbook in this operation mode automatically launches when corresponding alerts or incidents are detected.
    • Training. When corresponding alerts or incidents are detected, a playbook in this operation mode requests the user's approval to launch.
    • Manual. A playbook in this operation mode can only be launched manually.
  9. In the Launching rule list, choose an action to perform if two or more playbook instances are launching at the same time:
    • Add new playbook instances to the queue. A new playbook instance will be launched after the current one is completed. By default, this action is selected.
    • Terminate current execution and launch a new instance. The execution of the current playbook instance will be terminated. After that, a new playbook instance is launched.
    • Do not launch new playbook instances. A new playbook instance will not be launched. The execution of the current playbook instance will continue.

    The Launching rule list is displayed only if the Auto operation mode is selected.

  10. In the Trigger section, specify the condition for the automatic launch of the playbook.

    To describe the trigger condition, use jq expressions. For more information about jq expressions, refer to jq Manual.

    For example, to filter alerts or incidents by critical severity, specify the following expression:

    .Severity == "critical"

    You can also specify complex expressions to filter alerts or incidents.

    For example, to filter critical alerts or incidents by rule name, specify the following expression:

    [(.Severity == "critical") and (.Rules[] |.Name | contains("Rule_1"))]

    Validation of jq expressions is configured. If you specify an incorrect expression in the Trigger section, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.

    If you select the Manual operation mode, the Trigger section is unavailable.

  11. To view alerts or incidents that match the playbook trigger, in the Trigger matching section, click the Find button.

    You can also request a full list of alerts or incidents. To do this, in the Trigger section, enter true, and then click the Find button.

    The full list of alerts or incidents is displayed.

  12. In the Algorithm section, specify the sequence of responses to alerts or incidents in the JSON format. For details, refer to the Playbook algorithm section.

    If necessary, you can copy an algorithm from another playbook. To do this, do the following:

    1. Click the Copy from another playbook button.

      The Copy from another playbook window opens.

    2. In the list of playbooks, select a playbook from which to copy the algorithm, and then click the Add button.

      The algorithm of the selected playbook is added to the Algorithm section.

    Validation of jq expressions and JSON syntax is configured. If you specify an incorrect expression in the Algorithm section, the error is marked in red. If you want to view the details, hover the mouse cursor over the error.

  13. By default, the playbook will only be launched for new alerts or incidents that match the trigger.

    If you want to launch a new playbook for existing alerts or incidents that match the trigger, select the Launch the playbook for all matching alerts or incidents. Note that the system may be overloaded check box.

  14. Click the Create button.

A new playbook is created and displayed in the list of playbooks.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.