Kaspersky Next XDR Expert
1.1.9

Contents

About incidents

Expand all | Collapse all

An incident is a container of alerts that normally indicates a true positive issue in the organization's IT infrastructure. An incident may contain a single or several alerts. By using incidents, analysts can investigate multiple alerts as a single issue.

You can create incidents manually or enable the rules for automatic creation of incidents. After an incident is created, you can link alerts to the incident. You can link no more than 200 alerts to an incident.

After creation, Open Single Management Platform adds incidents to the incident table as work items that are to be processed by analysts.

Incidents can be assigned only to analysts who have the access right to read and modify alerts and incidents.

You can manage incidents as work items by using the following incident properties:

  • Incident status

    Possible values: New, In progress, On hold, or Closed.

    The incident status shows the current state of the incident in its life cycle. You can change the status as you like, with the following exceptions:

    • Status New cannot be changed to On hold.
    • Status Closed can only be changed to New.
  • Incident severity

    Possible values: Low, Medium, High, or Critical.

    The incident severity shows the impact this incident may have on computer security or corporate LAN security, based on Kaspersky experience. An incident's severity corresponds to the highest severity of the linked alerts and cannot be changed manually.

  • Incident priority

    Possible values: Low, Medium, High, or Critical.

    Incident priority defines the order in which the incidents must be investigated by analysts. Incidents with the Critical priority are the most urgent ones and must be investigated first. You can change the incident priority manually.

  • Incident assignee

    This is an incident owner, the analyst who is responsible for the incident investigation and process. You can change an incident assignee at any time if the Status parameter is not set to Closed.

Two or more incidents may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, you can merge the incidents to investigate them as a single issue.

Each incident has incident details that provide all of the information related to the incident. You can use this information to investigate the incident or merge incidents.

See also:

Creating incidents

Viewing the incident table

Assigning incidents to analysts

Changing an incident status

Changing an incident priority

Merging incidents

About alerts

Linking alerts to incidents

Unlinking alerts from incidents
Page top
[Topic 221314]