Kaspersky Next XDR Expert
1.1.9

Contents

Editing incidents by using playbooks

Expand all | Collapse all

Kaspersky Next XDR Expert allows you to edit incidents manually or by using playbooks. When creating a playbook, you can configure the playbook algorithm to edit the incident properties.

To edit an incident by using a playbook, you must have one of the following roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.

You cannot edit incidents that have the Closed status.

You can edit the following incident properties by using the playbook:

  • Assignee
  • Incident workflow status
  • Incident type
  • Comment
  • Description
  • Priority
  • ExternalReference attribute
  • Additional data attribute

Below are examples of the expressions that you can use in the playbook algorithm to edit the incident properties.

  • Assigning an incident to a user
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "assignIncidentToUser", "params": { "assignee": { "id": "user_ID" } } } } } ] }
  • Unassigning an incident from a user
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "assignIncidentToUser", "params": { "assignee": { "id": "nobody" } } } } } ] }
  • Changing a status of the incident workflow

    To change the incident workflow status to Open:

    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentStatus", "params": { "statusId": "INCIDENT_STATUS_ID" } } } } ] }

    To change the incident workflow status to Closed:

    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentStatus", "params": { "statusId": "INCIDENT_STATUS_ID", "statusResolution": "truePositive" } } } } ] }

    You can also specify the following values for the statusResolution parameter: falsePositive and lowPriority.

    To change the incident workflow status to a custom status:

    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentStatus", "params": { "typeId": "22222222-2222-2222-2222-222222222222", "statusId": "11111111-1111-1111-1111-111111111111" } } } } ] }
  • Changing the incident type
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentType", "params": { "id": "INCIDENT_TYPE_UUID" } } } } ] }
  • Adding a comment to an incident
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "addCommentToIncident", "params": { "text": "${ \"New comment for incident with ID: \\(incident.ID)\" }" } } } } ] }
  • Editing the incident description
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentDescription", "params": { "description": "${ incident.ID | tostring | \"New comment for incident with ID: \" + . }", "mode": "replace" } } } } ] }

    To append to the existing description, specify the append value for the mode parameter.

  • Changing the incident priority
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentPriority", "params": { "priority": "critical" } } } } ] }

    You can also specify the following values for the priority parameter: high, medium, low.

  • Editing the ExternalReference attribute
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setIncidentExternalRef", "params": { "externalRef": "${ \"new extReference value\" }", "mode": "replace" } } } } ] }

    To append to the ExternalReference attribute, specify the append value for the mode parameter.

  • Editing the Additional data attribute
    { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "addIncidentAdditionalData", "params": { "data": "${ {\"customKey\": \"customValue\"} }", "mode": "replace" } } } } ] }

    To append to the Additional data attribute, specify the append value for the mode parameter.

Page top
[Topic 282842]