Kaspersky Next XDR Expert

Responding through UserGate

UserGate includes features of unified threat management solutions and provides the following means of protection for your local network:

  • Firewall
  • Intrusion and attack protection
  • Anti-virus traffic scanning
  • Application control

UserGate UTM API 7 version is supported.

You can respond to alerts and incidents through UserGate if you previously configured integration between Kaspersky Next XDR Expert and script launch service, as well as created a playbook that will launch a script for responding. You can download the scripts by clicking this link.

Download scripts

The login and password to access UserGate are stored in the ug.py script. You can change the endpoint, login, and password values in this script.

Python 3.10 is required to run the scripts.

To perform a response action through UserGate, you must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst.

You can create playbooks that will perform the following response actions through UserGate:

  • Block IP addresses, URL and domain names.

    UserGate will block IP addresses, URL and domain names as a result of the playbook launch.

  • Log out the users.

    All users that are logged in to UserGate will be logged out as a result of the playbook launch.

To launch a script for responding through UserGate:

  1. In the main menu, go to the Monitoring & reporting section, and then in Alerts or Incidents section, click the ID of the required alert or incident.
  2. Click the Select playbook button, and then in the window that opens, select the playbook that you created for responding through UserGate.
  3. Click the Launch button.

    The selected playbook launches the script for responding through UserGate.

    If the operation is completed successfully, an appropriate message is displayed on the screen. Otherwise, an error message is displayed.

The result of the playbook launch is available in the alert or incident details, on the History tab.