About incidents

Expand all | Collapse all

An incident is a container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.

You can create incidents manually or enable the rules for automatic creation of incidents. After an incident is created, you can link alerts to the incident. You can link no more than 200 alerts to an incident.

After creation, Kaspersky EDR Expert adds incidents to the incident table as work items that are to be processed by analysts.

Incidents can be assigned only to analysts that have the access right to read and modify alerts and incidents.

You can manage incidents as work items by using the following incident properties:

• Incident status

  Possible values: New, In progress, On hold, or Closed.

  The incident status shows the current state of the incident in its life cycle. You can change the status as you like, with the following exceptions:

  • Status New cannot be changed to On hold.
  • Status Closed can only be changed to New.
• Incident severity

  Possible values: Low, Medium, High, or Critical.

  The incident severity shows the impact this incident may have on computer security or corporate LAN security, based on Kaspersky experience. An incident's severity corresponds to the highest severity of the linked alerts and cannot be changed manually.

• Incident priority

  Possible values: Low, Medium, High, or Critical.

  Incident priority defines the order in which the incidents must be investigated by analysts. Incidents with the Critical priority are the most urgent ones and must be investigated first. You can change the incident priority manually.

• Incident assignee

  This is an incident owner, the analyst who is responsible for the incident investigation and process. You can change an incident assignee at any time if the Status parameter is not set to Closed.

Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.

Each incident has incident details that provide all of the information related to the incident. You can use this information to investigate the incident or merge incidents.

See also: Creating incidents Viewing the incident table Viewing incident details Assigning incidents to analysts Changing an incident status Changing an incident priority Merging incidents About alerts Linking alerts to incidents Unlinking alerts from incidents

Page top