Support

Support for business applications

Kaspersky XDR Expert

Threat response

Response actions

Responding through UserGate

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

Responding through UserGate

May 15, 2024

ID 264202

Get as PDF

You can respond to alerts and incidents through UserGate if you previously configured integration between Kaspersky Next XDR Expert and script launch service. UserGate includes features of unified threat management solutions and provides the following means of protection for your local network:

  • Firewall
  • Intrusion and attack protection
  • Anti-virus traffic scanning
  • Application control

UserGate UTM API 7 version is supported.

The login and password to access UserGate are stored in the scripts for integration with UserGate. You can download the scripts by clicking this link.

Download scripts

Python 3.10 is required to run the scripts.

To perform a response action through UserGate, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

To perform a response action through UserGate:

  1. In the main menu, go to the Monitoring & reporting section, and then in Alerts or Incidents section, click the ID of the required alert or incident.

    In the window that opens, you can go to the Observables tab to view the IP addresses, URL and domain names that you can block through UserGate.

  2. Click the Select playbook button.

    In the window that opens, select one of the following predefined playbooks for responding through UserGate:

    • Block host via UserGate

      If you select this playbook, UserGate will block IP addresses, URL and domain names as a result of the playbook launch.

      UserGate uses IP addresses, URL and domain names that are displayed in the Observables tab.

    • Log out the users

      If you select this playbook, all users that are logged in to UserGate will be logged out as a result of the playbook launch.

  3. Click the Launch button.

    The selected playbook launches the script for integration with UserGate.

    If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

The result of the playbook launch is available in the alert or incident details, on the History tab.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.