An alert is an event in the organization's IT infrastructure that was marked by Kaspersky EDR Expert as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.
Kaspersky EDR Expert generates an alert when an EPP application (for example, Kaspersky Endpoint Security for Windows) detects certain activity in the infrastructure that corresponds to conditions defined in the detection rules. An alert is always registered and created automatically by the application; it cannot be created manually.
All alerts are divided into the following alert types: IOC (Indicator of Compromise) and IOA (Indicator of Attack).
After detection, Kaspersky EDR Expert adds alerts to the alert table as work items that are to be processed by analysts. You cannot delete alerts, you can only close them.
Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.
You can manage alerts as work items by using the following alert properties:
You can combine and link alerts to bigger work items called incidents. You can link alerts to incidents manually, or enable the rules to create incidents and link alerts automatically. By using incidents, analysts can investigate multiple alerts as a single issue. When you link a currently unlinked alert to an incident, the alert loses its current status and gains the status In incident. You can link a currently linked alert to another incident. In this case, the In incident status of the alert is kept. You can link a maximum of 200 alerts to an incident.
Each alert has alert details that provide all of the information related to the alert. You can use this information to investigate the alert, track the events that preceded the alert, view detection artifacts, affected assets, or link the alert to an incident.