About alert details

Alert details contain all available information about the detected threat and allow you to manage alert response actions.

Alert details contain the following information:

• Threat development chain graph that provides visual information about the objects involved, such as key processes on the device, network connections, libraries, registry hives. It is used to analyze the causes of the threat.
• Alert response recommendations. Each recommendation has a link. You can click that link to apply the selected response action.

  This section is available only in Kaspersky Endpoint Security for Windows 11.9.0 and later web plug-in.

• General information about the alert, including detection mode (for example, detection during on-demand scan or during automatic scan).
• Information about the protected device on which the alert occurs (for example, device name, IP address, MAC address, user list, operating system).
• Information about detected object.
• Registry changes associated with the alert.
• History of the file presence on the device.
• Response actions performed by the application.

If Kaspersky Endpoint Security for Windows 11.10.0 or later is installed on the organization devices, Kaspersky Endpoint Security plug-in 11.10.0 is used in Kaspersky Security Center, and the Kaspersky Security Network feature is enabled in Kaspersky Endpoint Security, the alert details for files display information about the trust group, numeric signature, file distribution and other data.

The data in the alert details is relevant at the time the threat was detected. The solution does not update this information, so it may differ from the data and indicators displayed on Kaspersky Threat Intelligence Portal. To view the up-to-date updated data, use the links to Kaspersky Threat Intelligence Portal data in the alert details.

You can perform the following response actions from the alert details:

• isolate the device on which the alert occurred;
• quarantine file;
• create an IOC Scan task;
• prevent execution of the detected file.

Alert details are automatically deleted one month after creation.

For devices with Kaspersky Endpoint Security for Windows: if the amount of information in the alert details exceeds 1 MB, or if more than five alerts occurred on the device during a day, then the alert data is stored on the device locally and connection to the device is required to access this data. For devices with Kaspersky Endpoint Agent and any EPP application, for example, Kaspersky Security for Windows Server, these threshold values are 100 KB and 20 detections, respectively.

Page top