Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Launching playbooks and response actions

Launching playbooks manually

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Launching playbooks manually

May 15, 2024

ID 249272

Get as PDF

Kaspersky Next XDR Expert allows you to manually launch all playbooks that match all alerts or incidents you want to respond to.

To launch a playbook manually, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, Tenant administrator.

To launch a playbook manually for an alert:

  1. In the main menu, go to Monitoring & reportingAlerts.
  2. In the table of alerts, click the link with the ID of the alert for which you want to launch the playbook.
  3. In the Alert details window that opens, click the Select playbook button.

    The Select playbook window opens.

  4. In the list of playbooks that match the alert, select the playbook you want to launch, and then click the Launch button.

    If the selected playbook is already running for this alert, in the Monitoring & reporting window that appears, do one of the following:

    • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

      The new playbook instance will be launched after the current one is completed.

    • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

      The current playbook instance will be terminated and the new one will be launched.

    • If you want to cancel the new playbook launch, click the Close button (Close button).

    If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected alert. After the playbook is completed, you will receive a notification.

To launch a playbook manually for an incident:

  1. In the main menu, go to Monitoring & reportingIncidents, and then select the XDR incidents tab.
  2. In the table of incidents, click the link with the ID of the incident for which you want to launch the playbook.
  3. In the Incident details window that opens, click the Select playbook button.

    The Select playbook window opens.

  4. In the list of playbooks that match the incident, select the playbook you want to launch, and then click the Launch button.

    If the selected playbook is already running for this incident, in the Monitoring & reporting window that appears, do one of the following:

    • If you want to wait until the current playbook instance is completed, click the Wait and launch button.

      The new playbook instance will be launched after the current one is completed.

    • If you want to launch a new playbook instance immediately, click the Terminate and launch a new one button.

      The current playbook instance will be terminated and the new one will be launched.

    • If you want to cancel the new playbook launch, click the Close button (Close button).

    If the selected playbook already has the status Awaiting approval, after manual launch, the playbook status will change to In progress.

The playbook is launched for the selected incident. After the playbook is completed, you will receive a notification.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.