You might need to unlink an alert from an incident, for example, if the alert analysis and investigation showed that the alert is not connected to other alerts in the incident. When you unlink an alert from an incident, Kaspersky EDR Expert performs the following actions:
Refreshes all of the data related to the incident, to reflect that the alert no longer belongs to the incident. For example, you can view the changes in the incident details.
Resets the status of the unlinked alerts to New.
You can unlink the alerts from the incidents by using the alert table or the incident details.
Unlinking alerts from incidents by using the alert table
To unlink alerts from their incidents:
In the main menu, go to MONITORING & REPORTING→Alerts.
If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
Select the check boxes next to the alerts that you want to unlink from the incidents.
Click the Unlink from incident button.
The Unlink alerts window opens.
If you want, enter a comment. You may want to specify the reason why you are unlinking the alerts. The comment will be added to the Comments section of the alert details.
If you want, change an assignee of the alerts that you want to unlink.
Click the Save button.
The selected alerts are unlinked from their incidents.
Unlinking alerts from incidents by using the incident details
To unlink alerts from the incident:
In the main menu, go to MONITORING & REPORTING→incidents.
In the incident table, click the ID of the incident from which you want to unlink alerts.
The window with incident details opens.
In the Alerts section, select the check boxes next to the alerts that you want to unlink from the incident.
Click the Unlink from incident button.
The selected alerts are unlinked from the incident.