Predefined playbooks

Support

Support for business applications

Kaspersky XDR Expert

Threat response

Playbooks

Predefined playbooks

May 15, 2024

ID 268243

Get as PDF

Kaspersky Next XDR Expert provides ready-to-use predefined playbooks that are created by Kaspersky experts. Predefined playbooks are based on KUMA correlation rules. For more information on the KUMA correlation rules included in the distribution kit, see Correlation rules.

You can find predefined playbooks in the Playbooks section. Such playbooks are marked with the tag "Predefined" and the [KL] prefix in the name.

Note that you cannot edit the parameters of a predefined playbook, except for the Operation mode and the Instances fields. If you want to edit other parameters of a predefined playbook, you need to duplicate the playbook, and then use it as a template to create a custom playbook. For details, refer to Customizing playbooks.

Before using the predefines playbooks, you must do the following in KUMA:

Configure the enrichment rule settings for the event enrichment with the Event type selected as the Source kind setting. Specify the VictimUserID and AttackerUserID values in the Target field.
Configure enrichment in KUMA to get Windows Event Log.

Predefined playbooks cannot be deleted.

Predefined playbooks belong to the parent tenant and are inherited by all child tenants.

In this section:

[KL] P001 "Creation of executable files by office applications"

[KL] P002 "Windows Event Log was cleared"

[KL] P003 "Suspicious child process from wmiprvse.exe"

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.