All alerts are divided into the following alert types:
An alert of this type is registered as a result of performing the IOC scan task on a protected device. When an IOC rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOC alert. The created IOC alerts represent the current device status at the start of the IOC scan task. You can create custom IOC rules.
An IOC alert always corresponds to a single IOC rule triggered in the IT infrastructure. If the IOC scan task results in several triggered IOC rules, Kaspersky EDR Expert creates a separate IOC alert for each of the triggered IOC rules.
An IOC alert always corresponds to a single device. If the same IOC rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOC alert for each device.
An alert of this type is registered as a result of an analysis of the telemetry data flow from the protected devices. When an IOA rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOA alert. Because the telemetry data flow is analyzed permanently, the created IOA alerts represent the current activity on the protected devices. The IOA rules are predefined by Kaspersky specialists. In addition, you can create custom IOA rules.
An IOA alert always corresponds to a single device. If the same IOA rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOA alert for each device.
Kaspersky EDR Expert analyzes events in 15-minute intervals. If at least one IOA rule is triggered during a 15-minute interval, Kaspersky EDR Expert creates an IOA alert. If several IOA rules (both predefined and custom) are triggered during a 15-minute interval on the same device, the created IOA alert aggregates all of the alert events and triggered rules.
Kaspersky EDR Expert does not create an IOA alert if an identical alert was already registered on the same device during the last 24 hours. Two IOA alerts are considered as identical if the following properties are identical for both of them: