Changing an alert status

Expand all | Collapse all

As a work item, an alert has a status that shows the current state of the alert in its life cycle.

You can change alert statuses for your own alerts or alerts of other analysts only if you have the access right to read and modify alerts and incidents.

An alert can have one of the following statuses:

• New

  When Kaspersky EDR Expert registers a new alert, the alert has the New status. You can change the status to In progress or Closed. When you change the New status to In progress, the alert is automatically assigned to you. When you change the New status to Closed, and the alert has no assignee, the alert is automatically assigned to you.

• In progress

  This status means that an analyst started working on the alert. When you set the In progress status, the alert is automatically assigned to you. You can change the In progress status to New or Closed.

• Closed

  True positive alerts are to be linked to incidents and be investigated within the incidents. When you close an incident, the linked alerts also gain the Closed status. You close an unlinked alert only as false positive or a low-priority alert. When you close an alert, you must select a resolution and provide a short comment.

  The Closed status can only be changed to status New. If you want to return a closed alert back to active, change its status as follows: Closed → New → In progress.

  When you close an alert linked to an incident, the alert is automatically unlinked from the incident. If the alert that you are going to close has no assignee, the alert is automatically assigned to the analyst who closes the alert.

• In incident

  Alerts gain this status when they are linked to an incident. You cannot set this status manually. You can only set the Closed status to a linked alert. To set the New or In progress status, you first must unlink the alert from the incident.

To change the status of one or several alerts:

1. In the main menu, go to MONITORING & REPORTING → Alerts.
2. If you have both Kaspersky EDR Optimum and Kaspersky EDR Expert integrated into Kaspersky Security Center Cloud Console, the Alerts section is divided into two tabs. Go to the Expert tab. Otherwise, skip this step.
3. Select the check boxes next to the alerts whose status you want to change.
4. Click the Change status button.
5. In the Change status window, select the status to set.

   If you set the Closed status, you must select a resolution and provide a short comment.

6. Provide a comment, if necessary.
7. Click the Save button.

The status of the selected alerts is changed.