An incident is a container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.
You can create incidents manually or enable the rules for automatic creation of incidents. After an incident is created, you can link alerts to the incident. You can link no more than 200 alerts to an incident.
After creation, Kaspersky EDR Expert adds incidents to the incident table as work items that are to be processed by analysts.
Incidents can be assigned only to analysts that have the access right to read and modify alerts and incidents.
You can manage incidents as work items by using the following incident properties:
Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.
Each incident has incident details that provide all of the information related to the incident. You can use this information to investigate the incident or merge incidents.