About alerts
An alert is an event in the organization's IT infrastructure that was marked by Open Single Management Platform as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.
Open Single Management Platform generates an alert when an EPP application (for example, Kaspersky Endpoint Security for Windows) detects certain activity in the infrastructure that corresponds to conditions defined in the detection rules.
The alert is created within 30 seconds after the KUMA correlation event has occurred.
You can also create an alert manually from a set of events.
After detection, Open Single Management Platform adds alerts to the alert table as work items that are to be processed by analysts. You cannot delete alerts—you can only close them.
Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.
You can manage alerts as work items by using the following alert properties:
You can combine and link alerts to bigger work items called incidents. You can link alerts to incidents manually, or enable the rules to create incidents and link alerts automatically. By using incidents, analysts can investigate multiple alerts as a single issue. When you link a currently unlinked alert to an incident, the alert loses its current status and gains the status In incident. You can link a currently linked alert to another incident. In this case, the In incident status of the alert is kept. You can link a maximum of 200 alerts to an incident.
Each alert has alert details that provide all of the information related to the alert. You can use this information to investigate the alert, track the events that preceded the alert, view detection artifacts, affected assets, or link the alert to an incident.