About alerts

Expand all | Collapse all

An alert is an event in the organization's IT infrastructure that was marked by Kaspersky EDR Expert as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.

Kaspersky EDR Expert generates an alert when an EPP application (for example, Kaspersky Endpoint Security for Windows) detects certain activity in the infrastructure that corresponds to conditions defined in the detection rules. An alert is always registered and created automatically by the application; it cannot be created manually.

All alerts are divided into the following alert types: IOC (Indicator of Compromise) and IOA (Indicator of Attack).

After detection, Kaspersky EDR Expert adds alerts to the alert table as work items that are to be processed by analysts. You cannot delete alerts, you can only close them.

Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.

You can manage alerts as work items by using the following alert properties:

• Alert status

  Possible values: New, In progress, Closed, or In incident.

  The alert status shows the current state of the alert in its life cycle. You can change the status as you like, with the following exceptions:

  • You cannot return closed alerts to the status In progress. Closed alerts can only be returned to the status New, and then the status can be changed to In progress.
  • You cannot set the In incident status manually. The alerts gain this status when they are linked to an incident.
  • You can only set the Closed status to a linked alert. To set the New or In progress status, you first must unlink the alert from the incident.
• Alert severity

  Possible values: Low, Medium, High, or Critical.

  The alert severity shows the impact this alert may have on computer security or corporate LAN security, based on Kaspersky experience. The severity is defined automatically and cannot be changed manually. The severity of an IOA alert corresponds to the highest severity of the triggered IOA rules related to the alert. All IOC alerts have high severity.

• Alert assignee

  This is an alert owner, the analyst who is responsible for the alert investigation and process. You can change an alert assignee at any time, with one exception—you cannot change an assignee of closed alerts.

You can combine and link alerts to bigger work items called incidents. You can link alerts to incidents manually, or enable the rules to create incidents and link alerts automatically. By using incidents, analysts can investigate multiple alerts as a single issue. When you link a currently unlinked alert to an incident, the alert loses its current status and gains the status In incident. You can link a currently linked alert to another incident. In this case, the In incident status of the alert is kept. You can link a maximum of 200 alerts to an incident.

Each alert has alert details that provide all of the information related to the alert. You can use this information to investigate the alert, track the events that preceded the alert, view detection artifacts, affected assets, or link the alert to an incident.