Linking alerts to incidents

You can link one or multiple alerts to an incident, for example, for the following reasons:

Multiple alerts may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, the alerts in the incident can be investigated as a single issue. You can link up to 200 alerts to an incident.
A single alert may be linked to an incident if the alert is defined as true positive.

You can link an alert to an incident if the alert has any status except for Closed. When linked to an incident, an alert loses its current status and gains the special status In incident. If you link alerts that are currently linked to other incidents, the alerts are unlinked from the current incidents, because an alert can be linked to only one incident.

Alerts can be linked to an incident manually or automatically.

Linking alerts manually

To link alerts to an existing or new incident:

In the main menu, go to MONITORING & REPORTING → Alerts.
If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into tabs. Go to the Expert tab. Otherwise, skip this step.
Select the check boxes next to the alerts that you want to link to an incident.
If you want to link alerts to an existing incident:
1. Click the Link to incident button.
2. Select an incident to link the alerts to.
If you want to link alerts to a new incident:
1. Click the Create incident button.
2. Fill in the properties of the new incident: name, assignee, and priority.
Click the Save button.

The selected alerts are linked to an existing or new incident.

Linking alerts automatically

Kaspersky EDR Expert has built-in rules to link alerts to an incident automatically. By default, these rules are disabled. You can enable them to help you handle the newly registered alerts. You can only enable or disable all of the rules at once.

Automatic incident creation rules:

Rule 1. Linking a new alert to an existing incident
Kaspersky EDR Expert links a new alert to an existing incident if at least one of the following parameters of the alert matches the same parameter in the incident:
- Any of the observables (MD5 hash, URL, IP address, domain name)
  The MD5 hash parameter is triggered only if less than 30 days have passed from the last update of the incident until the alert registration time. For the REST parameters (URL, IP address, domain name), this time interval must be less than two days.
- Device ID from the list of affected assets
  This parameter is triggered only if less than one hour has passed from the last update of the incident until the alert registration time.
- Triggered IOC rule
  This parameter is triggered only if less than one hour has passed from the last update of the incident until the alert registration time.
Other conditions that must be met for the rule to trigger:
- The incident must contain less than 200 alerts.
- The incident status is not Closed.
Rule 2. Creating a new incident from alerts on the same device
When a new alert is registered, Kaspersky EDR Expert checks if all of the following conditions are met:
- The newly registered alert and one or more alerts in the alert table have the same device ID.
- Alerts found with the same device ID must have the New status.
- Alerts found with the same device ID have been registered within 30 minutes before the newly registered alert.
If the conditions are met, Kaspersky EDR Expert creates a new incident, and links the new and found alerts to the new incident.
Rule 3. Creating a new incident from a single alert
Kaspersky EDR Expert creates a new incident and links a newly registered alert to the incident if the following conditions are met:
- An alert was registered as a result of triggering an IOC rule.
- Neither rule 1 nor rule 2 of the automatic incident creation rules has been triggered.

To enable the automatic incident creation rules:

Go to Console settings → Integration.
The Console settings window opens.
On the Integration tab, select the Kaspersky EDR Expert section.
Click the Settings link next to the Incident creation option.
The Incident creation window opens.
Select the Enable rules to create incidents automatically option.
Click the OK button.

The automatic incident creation rules are enabled.