Grouping alerts by attributes

Alerts aggregation helps identify alerts that may be related to the same incident, simplifying the investigation process.

To enable the functionality of alert aggregation, you have to do the following:

If you are using the Kaspersky Next EDR Optimum license, you do not have to activate the applications installed on your managed devices under the Kaspersky Next XDR Optimum license. You must do it only for new devices, if any.
Because the Kaspersky Next XDR Optimum license supports multitenancy, you can centrally distribute the license key to managed applications. Automatic distribution of the license to secondary and virtual Administration Servers is not supported.

You can aggregate alerts by device name, account, or hash name (SHA256).

Alerts are aggregated by an attribute only if that attribute is not empty.

Alerts are aggregated together if they share at least one attribute and occur within 24 hours of any other alert in the group.

To aggregate alerts by attributes:

  1. In the main menu, go to Monitoring & reportingAlerts.
  2. Do one of the following:
    • Enable the Alerts aggregation toggle switch, then select one or more attributes to aggregate alerts by:
      • Device name
      • Account
      • Hash name (SHA256)

      The Device name and Account attributes are selected by default.

    • Click the settings icon (). In the Table settings pane that opens, go to the Grouping tab. Select Aggregation group ID and click Apply.

    When aggregation is enabled, alerts are sorted by Event time from newest to oldest. Additional sorting options are not supported. Selecting a different grouping option will disable aggregation.

The table displays alerts aggregated by attributes. Unaggregated alerts are displayed at the bottom of the table.

Each alert is assigned to only one group after aggregation.

Page top