Predefined playbooks

Kaspersky Next XDR Expert provides ready-to-use predefined playbooks that are created by Kaspersky experts. Predefined playbooks are based on KUMA correlation rules. For more information on the KUMA correlation rules included in the distribution kit, see Correlation rules.

You can find predefined playbooks in the Playbooks section. Such playbooks are marked with the tag "Predefined" and the [KL] prefix in the name.

Note that you cannot edit the parameters of a predefined playbook, except for the Operation mode and the Running instances fields. If you want to edit other parameters of a predefined playbook, you need to duplicate the playbook, and then use it as a template to create a custom playbook. For details, refer to Customizing playbooks.

Before using the predefines playbooks, you must do the following in KUMA:

• Configure the enrichment rule settings for the event enrichment with the Event type selected as the Source kind setting. Specify the VictimUserID and AttackerUserID values in the Target field.
• Configure enrichment in KUMA to get Windows Event Log.

Predefined playbooks cannot be deleted.

Predefined playbooks belong to the parent tenant and are inherited by all child tenants.

[KL] P001 "Creation of executable files by office applications"

This playbook contains the Responding through KASAP response action, and can be used only as a template. If you want to launch the playbook, click the Duplicate and edit button. In the Edit playbook window that opens, in the Algorithm section, specify the KASAP group ID for the groupId parameter.

Before using the playbook, you must configure enrichment in KUMA to get Windows Event Log.

By default, the playbook launches the response actions for all users in the alert. If you want the playbook to launch the response actions only for the victim account, you can do the following:

1. In KUMA, configure the enrichment rule settings. For the event enrichment that has the Event type selected as the Source kind setting, specify the VictimUserID value in the Target field.
2. In the Algorithm section of the playbook, specify and .IsVictim in the assets parameter, as shown below:

   "assets": "${[ alert.Assets[] | select(.Type == \"user\" and .IsVictim) | .ID]}".

The [KL] P001 "Creation of executable files by office applications" predefined playbook allows you to prevent an attacker from using office applications, for example, to perform a phishing attack when a user opens an infected document, and then the document creates an executable file and executes it.

The alert that triggers the playbook is created according to the Creation of executable files by office applications correlation rule. This rule helps to detect the creation of files with suspicious extensions such as scripts and executable files on behalf of office applications.

The Trigger section of the playbook contains the following expression:

[.OriginalEvents[] | .ExternalID == "R350"] | any

During execution, this playbook launches the following response actions:

1. Responding through Active Directory, and then resetting the passwords of both the attacker and the victim accounts.

   If an error occurs during the execution of the response action, the playbook is terminated.

2. Responding through KASAP, and then assigning an information security course to the account.

   If an error occurs during the execution of the response action, the execution of the playbook will continue.

The Algorithm section of the playbook contains the following sequence of response actions:

{

"dslSpecVersion": "1.0.0",

"version": "1",

"responseActionsSpecVersion": "1",

"executionFlow": [

{

"responseAction": {

"function": {

"type": "resetLDAPPassword",

"assets": "${[ alert.Assets[] | select(.Type == \"user\") | .ID]}"

},

"onError": "stop"

}

},

{

"responseAction": {

"function": {

"type": "assignKasapGroup",

"assets": "${[ alert.Assets[] | select(.Type == \"user\") | .ID]}",

"params": {

"groupId": "SET KASAP GROUP ID"

}

},

"onError": "continue"

}

}

]

}

[KL] P002 "Windows Event Log was cleared"

By default, this playbook operates in the Manual operation mode. We do not recommend switching this playbook to the Auto or the Training operation mode.

Before using the playbook, you must do the following in KUMA:

• Configure the enrichment rule settings for the event enrichment that has the Event type selected as the Source kind setting. Specify the AttackerUserID value in the Target field.
• Configure enrichment in KUMA to get Windows Event Log.

The [KL] P002 "Windows Event Log was cleared" predefined playbook allows you to prevent an attacker from clearing the Windows Event Log, because the log contains sufficient telemetry for an investigation of the attacker's malicious activity.

The incident that triggers the playbook contains one or several alerts created according to the Windows Event Log was cleared correlation rule. This rule helps to detect when Windows logs are cleared or deleted by using the wevutil utility, the user interface, or PowerShell commands. To enable the creation of the incident, you have to configure segmentation rules.

The Trigger section of the playbook contains the following expression:

[.Alerts[] | .OriginalEvents[] | .ExternalID == "R050"] | any

During execution, this playbook launches the Responding through Active Directory response action, and then blocks the account of the attacker.

If an error occurs during the execution of the response action, the playbook is terminated.

If one or several alerts in the incident are generated by another correlation rule, the playbook does not apply to those alerts.

The Algorithm section of the playbook contains the following sequence of response actions:

{

"dslSpecVersion": "1.0.0",

"version": "1",

"responseActionsSpecVersion": "1",

"executionFlow": [

{

"responseAction": {

"function": {

"type": "blockLDAPAccount",

"assets": "${[ incident.Alerts[] | select(.OriginalEvents[] | .ExternalID == \"R050\") | .Assets[] | select(.Type == \"user\" and .IsAttacker) | .ID]}"

},

"onError": "stop"

}

}

]

}

[KL] P003 "Suspicious child process from wmiprvse.exe"

Before using the playbook, you must do the following in KUMA:

• Configure the enrichment rule settings for the event enrichment that has the Event type selected as the Source kind setting. Specify the AttackerUserID value in the Target field.
• Configure enrichment in KUMA to get Windows Event Log.

The [KL] P003 "Suspicious child process from wmiprvse.exe" predefined playbook allows you detect pairs of parent and child processes that deviate from the norm and must be viewed as suspicious.

The alert that triggers the playbook is created according to the R297_Suspicious child process from wmiprvse.exe correlation rule. This rule helps to detect the launch of suspicious processes on behalf of wmiprvse.exe.

The Trigger section of the playbook contains the following expression:

[.OriginalEvents[] | .ExternalID == "R297"] | any

During execution, this playbook launches the following response actions:

1. Responding through Active Directory, and then blocks the account of the attacker.
2. Terminating the process on the device that is registered in the alert.
3. Running a malware scan, and then a full scan is performed on the device where the alert is detected.

   By default, network drives are not scanned, to avoid overloading the system. If you want to scan the network drives, you have to duplicate this playbook, and then set the allowScanNetworkDrives parameter to true in the Algorithm section.

The Algorithm section of the playbook contains the following sequence of response actions:

{

"dslSpecVersion": "1.0.0",

"version": "1",

"responseActionsSpecVersion": "1",

"executionFlow": [

{

"responseAction": {

"function": {

"type": "blockLDAPAccount",

"assets": "${[ alert.Assets[] | select(.Type == \"user\" and .IsAttacker) | .ID]}"

},

"onError": "stop"

}

},

{

"split": {

"input": "${ [alert.OriginalEvents[] | [select(.DestinationProcessName != null and .DestinationProcessName != \"\")][] | .DestinationProcessName] }",

"onError": "stop",

"steps": [

{

"responseAction": {

"function": {

"type": "killProcess",

"params": {

"path": "${ .[0] }"

},

"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"

}

}

}

]

}

},

{

"responseAction": {

"function": {

"type": "avScan",

"params": {

"scope": {

"area": "full",

"allowScanNetworkDrives": false

},

"wait": false

},

"assets": "${[ alert.Assets[] | select(.Type == \"host\") | .ID]}"

},

"onError": "stop"

}

}

]

}

If an error occurs during the execution of any response action, the playbook is terminated.