Predefined playbooks
Kaspersky Next XDR Expert provides ready-to-use predefined playbooks that are created by Kaspersky experts. Predefined playbooks are based on KUMA correlation rules. For more information on the KUMA correlation rules included in the distribution kit, see Correlation rules.
You can find predefined playbooks in the Playbooks section. Such playbooks are marked with the tag "Predefined" and the [KL] prefix in the name.
Note that you cannot edit the parameters of a predefined playbook, except for the Operation mode and the Instances fields. If you want to edit other parameters of a predefined playbook, you need to duplicate the playbook, and then use it as a template to create a custom playbook. For details, refer to Customizing playbooks.
Before using the predefines playbooks, you must do the following in KUMA:
- Configure the enrichment rule settings for the event enrichment with the Event type selected as the Source kind setting. Specify the VictimUserID and AttackerUserID values in the Target field.
- Configure enrichment in KUMA to get Windows Event Log.
Predefined playbooks cannot be deleted.
Predefined playbooks belong to the parent tenant and are inherited by all child tenants.