About the incidents

What is an incident

In the context of information security, an incident is any unforeseen or undesirable event that could disrupt normal activity or information security.

An event is the identified external signs of a particular state of a system, service, or network.

Within the framework of the Kaspersky MDR solution, the main criterion for deciding whether the observed activity is an incident is the ability to implement efficient measures to counter, prevent, or reduce possible damage resulting from this activity. See the table below for examples of possible incident criteria and responsive measures depending on the event source.

Examples of incident detection criteria and response measures

Event source	Possible incident criteria	Possible incident responses
Endpoint device	The active phase of an attack that was not prevented automatically Evidence of malicious persistence in the system Indicators of past incidents Indicators of internal intruder activity on the customer's side (including cases when the attack was successfully prevented)	Issue detection by means of AO Kaspersky Lab solutions installed on endpoint devices, and assessment of automatic response efficiency (if technically possible) Recommended manual response actions Requested automatic response actions Recommendations for raising the users' information security awareness
Endpoint device + network	Security event from a supported network detection technology that has been confirmed on the endpoint device	Issue detection by means of AO Kaspersky Lab solutions installed on endpoint devices, as well as AO Kaspersky Lab solutions for network traffic monitoring, and assessment of automatic response efficiency (if technically possible) Recommended manual response actions Requested automatic response actions Informing the customer

Incident detection scenarios

Scenario 1. Incident detection by the Kaspersky MDR solution

In this scenario, an information security incident is detected as a result of the Kaspersky MDR operation. The incident is logged automatically in the incidents tracking system. The default incident priority level can be changed later, but it will require to specify the reason of the change according to the incident priority level table (see below). Kaspersky MDR processes the logged incidents to promptly obtain information about the status of the customer's IT infrastructure.

If root causes of the incident are identified as a result of the analysis, then response recommendations are provided to the customer. If there is not enough information to identify the root cause of the incident, all the available information and the results of analysis are provided to the customer for independent research.

Scenario 2. Incident detection by the customer (creating custom incidents is not available in some of the commercial license tiers)

In this scenario, an information security incident is detected by the customer, independently from the Kaspersky MDR operation. If the incident needs to be processed by Kaspersky MDR, the customer may log the incident manually and provide all the available information about the detected incident by using the Kaspersky MDR features. By default, the incident priority level is set to Low, unless specified otherwise by the customer while logging the incident.

Further processing of the incident is similar to Scenario 1.

Incident priority levels

Incident priority levels and their descriptions

Incident priority level	Description
High	Incidents that, in AO Kaspersky Lab expert opinion, may result in major disruptions or unauthorized access to the customer's assets monitored by Kaspersky MDR. For example, identified traces of a targeted attack or of an unknown threat, requiring further investigation by using digital forensic methods.
Medium	Incidents that, in AO Kaspersky Lab expert opinion, may affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR, or may result in a one-time data corruption.
Low	Incidents that, in AO Kaspersky Lab expert opinion, do not significantly affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR. For example, identified potentially unwanted software such as adware or riskware.

Incident priority level

Description

High

Incidents that, in AO Kaspersky Lab expert opinion, may result in major disruptions or unauthorized access to the customer's assets monitored by Kaspersky MDR.

For example, identified traces of a targeted attack or of an unknown threat, requiring further investigation by using digital forensic methods.

Medium

Incidents that, in AO Kaspersky Lab expert opinion, may affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR, or may result in a one-time data corruption.

Low

Incidents that, in AO Kaspersky Lab expert opinion, do not significantly affect the efficiency or performance of the customer's assets monitored by Kaspersky MDR.

For example, identified potentially unwanted software such as adware or riskware.

The default incident priority level is Low.

Performance targets of the solution delivery

Target reaction time and value of Kaspersky MDR delivery depending on the incident priority

Incident priority level	Reaction time*	Target value**
High	1 hour	90%
Medium	4 hours	90%
Low	24 hours	90%

The incident is considered as resolved if recommendations of response measures were provided to the customer.

*Reaction time is the time between incident detection (creation time) and publishing it to MDR Web Console (update time).

**Target value is the percentage of incidents where the reaction time meets the objective specified in the table.

Page top