Known issues

Kaspersky Endpoint Detection and Response has a number of limitations that are not critical to the operation of the application:

• In the alert and incident tables, the columns that combine two or more data types can only be sorted by one of the data types:
  • The column that combines the alert ID and alert severity can only be sorted by the alert ID.
  • The column that combines the alert registration date and method of linking to an incident can only be sorted by the alert registration date.
  • The column that combines the alert status, resolution, and incident ID can only be sorted by the alert status.
  • The column that combines the incident creation date and creation method can only be sorted by the incident creation date.
  • The column that combines the incident ID and incident name can only be sorted by the incident ID.
• In the Treat Hunting section, the web page may stop responding if more than 1,000 events are loaded in the list.
• A Kaspersky rule cannot be disabled by setting the Never value of the Use option. The rule will keep triggering and producing new alerts.
• If you rename a Kaspersky rule, the rule details cannot be opened from an event that was marked by this rule before the rule was renamed.
• In the Treat Hunting section, a query by a device name for a custom time period may be processed for up to 20 minutes.
• In the details of a Kaspersky IOA rule, the links to MITRE sub-techniques are formed incorrectly. The linked webpages cannot be opened.
• If you create a query by a non-string value by using alert details, the value is automatically specified as a string value in the query field.
• In the Treat Hunting section, a query made by using the AnyUserName field works incorrectly.
• When you move an IOC scan task to another device group, the details for this task become unavailable.