Support

Support for business applications

Kaspersky XDR Expert

Threat detection

Working with incidents

About incidents

Kaspersky Next XDR Expert
Online Help
FAQ Forum Contact support Recovery tools

About incidents

May 15, 2024

ID 221314

Get as PDF

Expand all | Collapse all

An incident is a container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.

You can create incidents manually or enable the rules for automatic creation of incidents. After an incident is created, you can link alerts to the incident. You can link no more than 200 alerts to an incident.

After creation, Open Single Management Platform adds incidents to the incident table as work items that are to be processed by analysts.

Incidents can be assigned only to analysts who have the access right to read and modify alerts and incidents.

You can manage incidents as work items by using the following incident properties:

  • Incident status
  • Incident severity
  • Incident priority
  • Incident assignee

Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.

Each incident has incident details that provide all of the information related to the incident. You can use this information to investigate the incident or merge incidents.

See also:

Creating incidents

Viewing the incident table

Viewing incident details

Assigning incidents to analysts

Changing an incident status

Changing an incident priority

Merging incidents

About alerts

Linking alerts to incidents

Unlinking alerts from incidents

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.