Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Viewing response history

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Viewing response history

May 15, 2024

ID 249273

Get as PDF

The Response history section allows you to view the detailed response history for all detected alerts and incidents. Note that if an alert or incident is deleted, the response history for this alert or incident is not displayed.

To view a response history, you must have one of the following roles: Main administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, SOC manager, Approver, Observer, Tenant administrator.

To view a response history, in the main menu, go to Monitoring & reportingResponse history. The table that contains the response history for all alerts and incidents opens.

To filter the data in the table,

Click the Filter button, and then, on the Filters tab, specify and apply the filter criterion in the invoked menu.

The table contains the following columns:

  • Actions. Response action or playbook name.
  • Response parameters. Response action parameters that are specified in the response action or playbook algorithm.
  • Start. Date and time the playbook or response action was launched.
  • End. Date and time the playbook or response action was completed.
  • Alert or incident ID. ID that contains a link to the alert or incident details.
  • Launched by. Name of the user who launched the playbook or response action.
  • Action status. Execution status of the playbook or response action. The following values can be shown in this column:
    • Awaiting approval—Response action or playbook awaiting approval for launch.
    • In progress—Response action or playbook is in progress.
    • Success—Response action or playbook is completed without errors or warnings.
    • Warning—Response action or playbook is completed with warnings.
    • Error—Response action or playbook is completed with errors.
    • Terminated—Response action or playbook is completed because the user interrupted the execution.
    • Approval time expired—Response action or playbook is completed because the approval time for the launch has expired.
    • Rejected—Response action or playbook is completed because the user rejected the launch.
  • Assets. Number of the assets for which the playbook or response action is launched. You can click the link with the number of the assets to view the asset details.
  • Asset type. Type of asset for which the response action or playbook is launched. Possible values: Device or User.
  • Tenant. Name of the tenant to which the playbook belongs.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.