KYRA MDR includes 12 built-in SOAR (Security Orchestration, Automation and Response) playbooks that automate common incident response workflows. Each playbook combines automated actions with guided manual steps to accelerate response times while keeping analysts in control.
How Playbooks Work
- Trigger — A detection rule or AI agent identifies a threat matching the playbook’s trigger condition
- Automated Actions — The platform executes pre-defined containment and enrichment steps immediately
- Analyst Review — The assigned analyst reviews automated actions and follows guided manual steps
- Resolution — The analyst closes the incident with documented findings and remediation
Playbooks are available on MDR tier and above. FREE tier customers receive alert notifications but no automated response.
Built-in Playbooks
1. Ransomware Response
| Field | Detail |
|---|
| Trigger | File encryption patterns detected (mass file rename, known ransomware extensions, shadow copy deletion) |
| Automated Actions | Isolate affected endpoint from network; snapshot current disk state; block lateral SMB/RDP from source host; notify SOC team |
| Manual Steps | Identify ransomware variant and encryption scope; determine patient zero and initial access vector; assess backup integrity; coordinate restoration from clean backups; report to management and legal if data exposure suspected |
2. Brute Force Response
| Field | Detail |
|---|
| Trigger | More than 10 failed login attempts to a single account within 5 minutes, or more than 50 failed attempts across multiple accounts from one source |
| Automated Actions | Temporarily block source IP at firewall; lock targeted accounts; enrich source IP with threat intelligence; create incident with timeline |
| Manual Steps | Verify whether any login succeeded after the brute force attempt; check for credential stuffing (multiple accounts targeted); review source IP reputation and geolocation; reset compromised credentials; add permanent block if source is malicious |
3. Phishing Response
| Field | Detail |
|---|
| Trigger | User-reported phishing email or email security gateway detection of malicious link/attachment |
| Automated Actions | Extract and defang URLs and attachment hashes; query threat intelligence for IOC matches; search mailbox logs for other recipients of the same message; block sender domain at email gateway |
| Manual Steps | Confirm malicious intent (not a false positive from marketing email); identify all users who clicked the link or opened the attachment; initiate credential reset for affected users; check endpoints for payload execution; update email filter rules |
4. Credential Compromise
| Field | Detail |
|---|
| Trigger | Impossible travel login (same account from geographically distant locations within short timeframe), or login from known-bad IP after credential dump publication |
| Automated Actions | Force session termination for affected account; require MFA re-enrollment; block source IP; generate timeline of account activity since suspected compromise |
| Manual Steps | Review all actions taken by the compromised account; check for new mail forwarding rules, OAuth app grants, or API key creation; verify no lateral movement occurred; reset credentials and revoke all active sessions; notify the user |
5. Lateral Movement
| Field | Detail |
|---|
| Trigger | Pass-the-hash, pass-the-ticket, or unusual RDP/SMB/WinRM connections between internal hosts that deviate from baseline |
| Automated Actions | Isolate source host; block inter-host communication for affected pair; capture network flow data; enrich with MITRE ATT&CK technique mapping (T1021, T1550) |
| Manual Steps | Identify the initial compromise point; map the full scope of lateral movement (all hosts accessed); check for persistence mechanisms on each accessed host; verify credential exposure scope; rebuild compromised hosts if necessary |
6. Data Exfiltration
| Field | Detail |
|---|
| Trigger | Unusual outbound data volume (more than 2x baseline), DNS tunneling pattern, or large uploads to cloud storage/paste sites |
| Automated Actions | Throttle outbound traffic from source host; capture full packet data for the suspicious flow; block destination IP/domain; alert data protection team |
| Manual Steps | Identify what data was transferred (classification level); determine total volume exfiltrated; check if data was encrypted before exfiltration; assess regulatory notification requirements (GDPR, ISMS-P); preserve evidence for potential legal action |
7. Insider Threat
| Field | Detail |
|---|
| Trigger | Abnormal data access patterns by authenticated user (accessing files outside role, bulk downloads, off-hours activity inconsistent with history) |
| Automated Actions | Enable enhanced logging for the user; snapshot current access permissions; generate behavioral timeline; notify security manager (not the user) |
| Manual Steps | Correlate with HR events (resignation, performance issues); review data access scope and sensitivity; determine if activity is authorized but unusual; coordinate with legal and HR before confrontation; preserve evidence chain of custody |
8. Spoofing Detection
| Field | Detail |
|---|
| Trigger | ARP spoofing, DNS spoofing, or IP spoofing detected by NDR sensors |
| Automated Actions | Block spoofing source at switch/firewall level; alert network operations team; capture network forensic data; identify affected hosts that received spoofed responses |
| Manual Steps | Determine attacker’s objective (MITM, credential capture, redirect); verify DNS cache integrity on affected hosts; check for data interception during spoofing window; flush DNS caches and ARP tables on affected segment; implement permanent mitigations (DAI, DNSSEC) |
9. DDoS Mitigation
| Field | Detail |
|---|
| Trigger | Traffic volume exceeds 5x baseline, SYN flood detected, or application-layer request rate exceeds capacity threshold |
| Automated Actions | Activate rate limiting rules; enable upstream DDoS scrubbing (if configured); block top offending source IPs; scale infrastructure capacity; notify operations team |
| Manual Steps | Classify attack type (volumetric, protocol, application); engage ISP or CDN provider for upstream filtering if needed; analyze attack pattern for targeted application weaknesses; implement application-specific mitigations; conduct post-attack capacity review |
10. APT Response
| Field | Detail |
|---|
| Trigger | Multiple MITRE ATT&CK techniques observed from the same source within a campaign timeframe, or threat intel match against known APT IOCs |
| Automated Actions | Elevate incident to critical severity; activate enhanced monitoring across all network segments; block all known campaign IOCs (IPs, domains, hashes); notify executive security team; initiate full environment threat hunt |
| Manual Steps | Perform comprehensive threat hunting across 90-day historical data; map complete attack chain (initial access through objectives); identify all compromised accounts and hosts; coordinate with threat intelligence partners; develop custom detection rules for campaign TTPs; plan systematic remediation (do not alert attacker prematurely) |
11. Threat Intel Alert
| Field | Detail |
|---|
| Trigger | New threat intelligence bulletin matches IOCs present in the environment (IP addresses, domains, file hashes observed in logs) |
| Automated Actions | Search all log sources for IOC matches across 30-day window; block matched IOCs at perimeter; generate impact assessment report; create incidents for each confirmed match |
| Manual Steps | Validate IOC matches (eliminate false positives from shared infrastructure); assess exposure window (first seen to block time); check for indicators of successful exploitation; update detection rules with new TTPs from the bulletin; brief stakeholders on risk exposure |
12. Malware Containment
| Field | Detail |
|---|
| Trigger | EDR or antivirus detection of malicious executable, or behavioral analysis identifies suspicious process activity (process injection, persistence installation) |
| Automated Actions | Isolate affected endpoint; kill malicious process; quarantine malicious file; block file hash across all endpoints; collect forensic artifacts (process tree, network connections, registry changes) |
| Manual Steps | Analyze malware sample (static and dynamic analysis); identify infection vector (email, web, USB, lateral movement); scan all endpoints for same hash and behavioral indicators; verify no persistence mechanisms remain; restore endpoint from clean image if rootkit suspected; update detection signatures |
Custom Playbooks
PRO and CUSTOM tier customers can create custom playbooks tailored to their environment:
- Define custom trigger conditions using detection rule combinations
- Configure automated actions from the available action library (block IP, isolate host, disable account, etc.)
- Add environment-specific manual steps and escalation procedures
- Set SLA timers for each phase of the response
To create a custom playbook, go to Console > Playbooks > Create Playbook.
Playbook Metrics
The platform tracks execution metrics for each playbook:
| Metric | Description |
|---|
| Mean Time to Contain (MTTC) | Average time from trigger to automated containment |
| Execution Count | Number of times the playbook was triggered (30/90/365 days) |
| False Positive Rate | Percentage of triggers that were false positives |
| Analyst Time Saved | Estimated hours saved vs. manual response |
View playbook metrics in Console > Playbooks > Analytics.
