Support

Support for business applications

Kaspersky Endpoint Detection and Response Expert

Alerts

About alert types
Kaspersky Endpoint Detection and Response Expert
Online Help
Advice & Solutions FAQ Download Forum Contact support Recovery tools Product videos

About alert types

March 20, 2024

ID 227031

All alerts are divided into the following alert types:

  • IOC (Indicator of Compromise) alerts

    An alert of this type is registered as a result of performing the IOC scan task on a protected device. When an IOC rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOC alert. The created IOC alerts represent the current device status at the start of the IOC scan task. You can create custom IOC rules.

    An IOC alert always corresponds to a single IOC rule triggered in the IT infrastructure. If the IOC scan task results in several triggered IOC rules, Kaspersky EDR Expert creates a separate IOC alert for each of the triggered IOC rules.

    An IOC alert always corresponds to a single device. If the same IOC rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOC alert for each device.

  • IOA (Indicator of Attack) alerts

    An alert of this type is registered as a result of an analysis of the telemetry data flow from the protected devices. When an IOA rule triggers and defines an event as an alert, Kaspersky EDR Expert creates a new IOA alert. Because the telemetry data flow is analyzed permanently, the created IOA alerts represent the current activity on the protected devices. The IOA rules are predefined by Kaspersky specialists. In addition, you can create custom IOA rules.

    An IOA alert always corresponds to a single device. If the same IOA rule is triggered on several devices, Kaspersky EDR Expert creates a separate IOA alert for each device.

    Kaspersky EDR Expert analyzes events in 15-minute intervals. If at least one IOA rule is triggered during a 15-minute interval, Kaspersky EDR Expert creates an IOA alert. If several IOA rules (both predefined and custom) are triggered during a 15-minute interval on the same device, the created IOA alert aggregates all of the alert events and triggered rules.

    Kaspersky EDR Expert does not create an IOA alert if an identical alert was already registered on the same device during the last 24 hours. Two IOA alerts are considered as identical if the following properties are identical for both of them:

    • Triggered IOA rules
    • All MD5 hashes obtained from the events related to the alert
    • Observables of the IP and Domain data types

See also:

About alerts

Viewing the alert table

Viewing alert details

Assigning alerts to analysts

Changing an alert status

Linking alerts to incidents

Unlinking alerts from incidents

About incidents

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.