About alert details

Alert details contain all available information about a detected threat and let you manage alert response actions.

Alert details contain the following information:

• A graph of the threat development chain that provides visual information about the objects involved, such as key processes on the device, network connections, libraries, and registry hives.
• Recommendations on responding to the alert. Each recommendation has a link that you can click to apply the selected response action.

  For alerts received from Kaspersky Endpoint Security for Windows, this section is available only if Kaspersky Endpoint Security for Windows 11.9.0 or later is installed on the organization's computers and Kaspersky Endpoint Security for Windows plug-in 11.9.0 or later is used in Kaspersky Security Center.

• General information about the alert, including detection mode (for example, detection during an on-demand scan or during automatic scan).
• Information about the protected device on which the alert occurs (for example, device name, IP address, MAC address, user list, operating system).
• Information about the detected object.
• Registry changes associated with the alert.
• History of the files' presence on the device.
• Response actions performed by the application.
• Information about the trust group, digital signature, file distribution, and other data.

  This information is available only if Kaspersky Security Network has been enabled before a threat is detected. For alerts received from Kaspersky Endpoint Security for Windows, this information is available only if Kaspersky Endpoint Security for Windows 11.10.0 or later is installed on the organization's devices and Kaspersky Endpoint Security plug-in 11.10.0 or later is used in Kaspersky Security Center.

If you use Endpoint Detection and Response plug-in 15.4 or later in Kaspersky Security Center together with Kaspersky Endpoint Security for Mac 12.2 or later, alert details also contain additional information on the response actions performed on the objects involved into threat development chain, as well as threat development chain summary.

The data in the alert details is current as of the time the threat was detected. The solution does not update this information, so it may differ from the data and indicators displayed on Kaspersky Threat Intelligence Portal. To view up-to-date data, use the links to Kaspersky Threat Intelligence Portal data in the alert details.

You can perform the following response actions from the alert details:

• Isolate the device on which the alert occurred.
• Quarantine file.

  This functionality is not supported by Kaspersky Endpoint Security for Linux 12.1.

• Create an IOC Scan task.
• Prevent execution of the detected file.

  This functionality is not supported by Kaspersky Endpoint Security for Linux 12.1.

If you use the additional functionality of Kaspersky Next XDR Optimum, you can also perform the following response actions on the users related with the alert from the alert details:

• Reset user password.
• Lock user's account.
• Add a user to a security group.
• Delete a user from a security group.
• Assign KASAP training courses to users who are associated with alerts.

Alert details are automatically deleted one month after creation.

For devices with Kaspersky Endpoint Security for Windows: if the size of the information in alert details exceeds 1 MB, or if more than five alerts occur on the device in one day, then the alert data is stored on the device locally and a connection to the device is required to access this data.

Page top