Working with alerts

This section contains general information about alerts, their properties, typical life cycle, and connection with incidents. The instructions that are provided will help you analyze the alert table, change alert properties according to the current state in the life cycle, and combine alerts into incidents by linking or unlinking the alerts.

The Alerts section is displayed in the main menu if the following conditions are met:

• You have a license key for Kaspersky Next XDR Expert.
• You are connected to the root Administration Server in OSMP Console.
• You have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, SOC manager, Interaction with NCIRCC, Approver, Observer.

About alerts

Expand all | Collapse all

An alert is an event in the organization's IT infrastructure that was marked by Open Single Management Platform as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.

Open Single Management Platform generates an alert when an EPP application (for example, Kaspersky Endpoint Security for Windows) detects certain activity in the infrastructure that corresponds to conditions defined in the detection rules.

The alert is created within 30 seconds after the KUMA correlation event has occurred.

You can also create an alert manually from a set of events.

After detection, Open Single Management Platform adds alerts to the alert table as work items that are to be processed by analysts. You cannot delete alerts—you can only close them.

Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.

You can manage alerts as work items by using the following alert properties:

• Alert status

  Possible values: New, In progress, Closed, or In incident.

  The alert status shows the current state of the alert in its life cycle. You can change the status as you like, with the following exceptions:

  • You cannot return closed alerts to the status In progress. Closed alerts can only be returned to the status New, and then the status can be changed to In progress.
  • You cannot set the In incident status manually. The alerts gain this status when they are linked to an incident.
  • You can only set the Closed status to a linked alert. To set the New or In progress status, you first must unlink the alert from the incident.
• Alert severity

  Possible values: Low, Medium, High, or Critical.

  The alert severity shows the impact this alert may have on computer security or corporate LAN security, based on Kaspersky experience. The severity is defined automatically and cannot be changed manually.

• Alert assignee

  This is an alert owner, the analyst who is responsible for the alert investigation and process. You can change an alert assignee at any time, with one exception—you cannot change an assignee of closed alerts.

You can combine and link alerts to bigger work items called incidents. You can link alerts to incidents manually, or enable the rules to create incidents and link alerts automatically. By using incidents, analysts can investigate multiple alerts as a single issue. When you link a currently unlinked alert to an incident, the alert loses its current status and gains the status In incident. You can link a currently linked alert to another incident. In this case, the In incident status of the alert is kept. You can link a maximum of 200 alerts to an incident.

Each alert has alert details that provide all of the information related to the alert. You can use this information to investigate the alert, track the events that preceded the alert, view detection artifacts, affected assets, or link the alert to an incident.

Alert data model

The structure of an alert is represented by fields that contain values (see the table below). Some fields are objects or arrays of objects with their own set of fields (for example, the Assignee and Assets fields).

Alert

Assignee

MITRETactic

MITRETechnique

Observable

Rule

Asset

UnkeyedAttachment

Viewing the alert table

The alert table provides you with an overview of all alerts registered by Open Single Management Platform.

To view the alert table:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. If necessary, apply the tenant filter. By default, the tenant filter is disabled and the alert table displays the alerts related to all of the tenants to which you have access rights. To apply the tenant filter:
   1. Click the link next to the Tenant filter setting.

      The tenant filter opens.

   2. Select the check boxes next to the required tenants.

      The alert table displays only the alerts detected on the selected tenants.

The alert table is displayed.

The alert table has the following columns:

• Alert ID. The unique identifier of an alert.
• Registered. The date and time when the alert was added to the alert table.
• Updated. The date and time of the last change from the alert history.
• Status. The current status of the alert.
• Analyst. The current assignee of the alert.
• Tenant. The name of the tenant in which the alert was detected.
• Technology. The technology that detected the alert.
• Rules. The IOC or IOA rules that were triggered to detect the alert.
• Affected assets. The devices and users that were affected by the alert.
• Observables. Detection artifacts, for example IP addresses or MD5 hashes of files.
• Incident link type. Way to add an alert to an incident.
• Severity. Severity of the alert.
• Status changed. The date and time of the last alert status change.

Viewing alert details

Expand all | Collapse all

Alert details are a page in the interface that contains all of the information related to the alert, including the alert properties.

To view alert details:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the alert table, click the ID of the required alert.

The alert details are displayed.

If necessary, you can refresh the information in the alert details by clicking the refresh () icon next to the alert name.

The toolbar in the upper part of the alert details allows you to perform the following actions:

• Edit the External reference field value
• Assign the alert to an analyst
• Change the alert status
• Link the alert to an incident
• Unlink the alert from the incident
• Select a playbook
• Create a new incident and link the alert to it

Alert details contain the following sections:

• Summary

  The summary section contains the following alert properties:

  • Analyst. An analyst to which the alert is assigned.
  • Tenant. The name of the tenant in which the alert was detected.
  • Assets. The number of user accounts and devices related to the alert.
  • Severity. Possible values: Low, Medium, High, or Critical. The alert severity shows the impact this alert may have on computer security or corporate LAN security based on Kaspersky experience.
  • Rules. The rules that were triggered to detect the alert. By clicking the ellipsis icon next to the rule name, you can open the shortcut menu. Use this menu to learn more details about the rule, find alerts or incidents that were detected by the same rule, or search the rule triggering events in Threat hunting for the period between the first and the last event of the alert.

    When you click Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

  • Registered. A date and time when the alert was added to the alert table.
  • First event. A date and time of the first event related to the alert.
  • Last event. A date and time of the most recent event related to the alert.
  • External reference. Link to an entity in an external system (for example, a link to a Jira ticket). You can click the Edit button at the top to specify the external reference.
  • Linked to. The incident to which the alert is linked.
  • Technology. The technology that detected the alert.
  • MITRE tactic. A tactic or several tactics detected in the alert. The tactics are defined in the MITRE ATT&CK knowledge base.
  • MITRE technique. A technique or several techniques detected in the alert. The techniques are defined in the MITRE ATT&CK knowledge base.
  • Additional data. Additional information on the alert. You can edit a value in this field only by using a playbook. The field is displayed if you added a value.
• Details

  In the Details section, you can track the telemetry events related to the alert.

  The event table displays the search result that you define through an SQL query.

  The toolbar of the event table allows you to perform the following actions:

  • Download events. You can click this button to download information about related events as a CSV file (in UTF-8 encoding).
  • Find in Threat hunting. You can click this button to open the Threat hunting section. This section allows you to search through all of the events related to the tenants that you have access to, and not only the events related to the current alert. By default, the opened event table contains all of the events that occurred during the time period between the first and the last event of the alert. For example, you can run a search query to find all of the events in which the device was affected.

    In the Threat hunting section, you can link events to alerts manually. This might be helpful if you discover that some events relate to an alert, but they were not linked to the alert automatically. For details, refer to the instructions on linking or unlinking events to or from alerts.

    You can go back to the incident details by clicking Alert investigation or by clicking the back button in your browser.

  • Unlink from alert. You can select an event or several events in the table, and then click this button to unlink the selected events from the alert.
• Assets

  In the Assets section, you can view the devices and users affected by or involved in the alert.

  The asset table contains the following columns:

  • Asset type

    Possible values: device or user.

  • Asset name
  • Asset ID
  • Has signs of

    Possible values: attacker or victim.

  • Authorization status

    This parameter is only applied to device asset type. A device authorization status is defined by KICS for Networks. You can change the authorization status by applying the corresponding response action to a device.

  • Administration Server

    The Administration Server that manages the device.

  • Administration Group

    The administration group to which the device belongs.

  • Categories

    Asset categories which include the asset.

  By clicking a user name or a device name, you can:

  • Search the user name or the device ID in Threat hunting for the period between the first and the last event of the alert.

    When after clicking a user name or a device name you select Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

  • Search the user name or the device ID in other alerts.
  • Search the user name or the device ID in other incidents.
  • Copy the user name or the device name in the clipboard.

  You can also click a device name to open the device properties.

  By clicking a user ID or a device ID, you can:

  • Search the user ID or the device ID in Threat hunting for the period between the first and the last event of the alert.

    When after clicking a user ID or a device ID you select Go to Threat hunting in the menu, the Threat hunting section opens in the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

  • Search the user ID or the device ID in other alerts.
  • Search the user ID or the device ID in other incidents.
  • Copy the user ID or the device ID in the clipboard.

  You can also click a device ID to open the device properties.

• Files

  In the Files section, you can upload, download or delete files related to the alert.

  You can upload files of any extension. Duplicate file names are allowed.

  Limitations:

  • The number of files cannot exceed 100 per alert.
  • Total file size cannot exceed 26.2 MB per alert.

  To upload files, click the Upload button and select one or multiple files. If you attempt to upload files exceeding the limitations, the Uploading files panel displaying a warning message will open. In this panel, you can remove files from the upload queue until the warning message disappears and click the Upload button to upload files. If you click the Upload button ignoring the warning message, upload will fail and the file list will include files that could not be uploaded with a warning icon next to the file names.

  Click a file to open the Edit file panel that displays file details. In this panel, you can edit file description.

  Use check boxes to select a file or multiple files. Select a file and click the Download button to download it. Select a file or multiple files and click the Delete button to delete the selected files.

  The Write permission in the Alerts and incidents functional area is required to upload and delete files and edit file descriptions. The Read permission in the Alerts and incidents functional area is required to download files.

• Observables

  In the Observables section, you can view the observables related to the alert. The observables may include:

  • MD5 hash
  • IP address
  • URL
  • Domain name
  • SHA256
  • UserName
  • HostName

  By clicking a link in the Value column, you can:

  • Search the observable value in Threat hunting for the period between the first and the last event of the alert.

    When after clicking a link in the Value column you select Go to Threat hunting in the menu, the Threat hunting section opens on the same tab. If you want to open the Threat hunting section in a new browser tab, click and hold the Ctrl key, and then click Go to Threat hunting in the menu.

  • Search the observable value in other alerts.
  • Search the observable value in other incidents.
  • Copy the observable value in the clipboard.

  The toolbar of this section contains the following buttons:

  • Request status from Kaspersky TIP. Use this button to obtain detailed information about the selected observable from Kaspersky Threat Intelligence Portal (Kaspersky TIP). As a result, the information is updated in the Status update column. Requires integration with Kaspersky Threat Intelligence Portal (Premium access).
  • Enrich data from Kaspersky TIP. Use this button to obtain detailed information about all of the listed observables from Kaspersky TIP. As a result, the information is updated in the Enrichment column. Use a link in the Enrichment column to open the obtained enrichment details about an observable. Requires integration with Kaspersky Threat Intelligence Portal (Premium access).
  • Move to quarantine. Use this button to move the device on which the file is located to quarantine. This button is only available for hash (MD5 or SHA256) observables.
  • Add prevention rule. Use this button to add a rule that prevents the file from running. This button is only available for hash (MD5 or SHA256) observables.
  • Delete prevention rule. Use this button to delete the rule that prevents the file from running. This button is only available for hash (MD5 or SHA256) observables.
  • Terminate process. Use this button to terminate processes associated with the file. This button is only available for hash (MD5 or SHA256) observables.
• Similar closed alerts

  In the Similar closed alerts section you can view the list of closed alerts that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar closed alerts can help you investigate the current alert.

  By using the list, you can evaluate the degree of similarity of the current alert and other alerts. The similarity is calculated as follows:

  Similarity = M / T * 100

  Here, 'M' is a number of artifacts that matched in the current and a similar alert, and 'T' is total number of artifacts in the current alert.

  If the similarity is 100%, the current alert has nothing new in comparison with the similar alert. If the similarity is 0%, the current and the similar alert are completely different. Alerts that have a similarity of 0% are not included in the list.

  The calculated value is rounded off to the nearest whole number. If similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.

  Clicking an alert ID opens the alert details.

  Customizing the similar closed alerts list

  You can customize the table by using the following options:

  • Filter the alerts by selecting the term for which the alerts have been updated. By default, the list contains the alerts that have been updated for the last 30 days.
  • Click the Columns settings icon (), and then select which columns to display and in which order.
  • Click the Filter icon (), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
  • Click a column header, and then select the sorting options. You can sort the alerts in ascending or descending order.

• Similar incidents

  In the Similar incidents section, you can view the list of incidents that have the same affected artifacts as the current alert. The affected artifacts include observables and affected devices. The similar incidents can help you decide if the current alert may be linked to an existing incident.

  By using the list, you can evaluate the degree of similarity of the current alert and the incidents. The similarity is calculated as follows:

  Similarity = M / T * 100

  Here, 'M' is a number of artifacts that matched in the current alert and a similar incident, and 'T' is total number of artifacts in the current alert.

  If the similarity is 100%, the current alert has nothing new in comparison with the similar incident. If the similarity is 0%, the current alert and the similar incident are completely different. Incidents that have similarity of 0% are not included in the list.

  The calculated value is rounded off to the nearest whole number. If the similarity is equal to a value between 0% and 1%, the application does not round such a value down to 0%. In this case, the value is displayed as less than 1%.

  Clicking an incident ID opens the incident details.

  Customizing the similar incidents list

  You can customize the table by using the following options:

  • Filter the incidents by selecting the term for which the incidents have been updated. By default, the list contains the incidents that have been updated for the last 30 days.
  • Click the Columns settings icon (), and then select which columns to display and in which order.
  • Click the Filter icon (), and then select and configure the filters that you want to apply. If you select several filters, they are applied simultaneously by logical AND operator.
  • Click a column header, and then select the sorting options. You can sort the incidents in ascending or descending order.
• Comments

  In the Comments section, you can leave comments related to the alert. For example, you can enter a comment about investigation results or when you change the alert properties, such as the alert assignee or status.

  You can edit or remove your own comments. The comments of other users cannot be modified or removed.

  To save your comment, press Enter. To start a new line, press Shift+Enter. To edit or delete your comment, use the buttons on the top right.

  The Write permission in the Alerts and incidents functional area is required to leave comments.

• History

  In the Alert event log section, you can track the changes that were made to the alert as a work item:

  • Changing alert status
  • Changing alert assignee
  • Linking alert to an incident
  • Unlinking alert from an incident
  • Uploading a file to the alert
  • Deleting a file from the alert

  In the Response history section, you can review the log of manual and playbook response actions. The table contains the following columns:

  • Time. The time when the event occurred.
  • Launched by. Name of the user who launched the response action.
  • Events. Description of the event.
  • Response parameters. Response action parameters that are specified in the response action.
  • Asset. Number of the assets for which the response action was launched. You can click the link with the number of the assets to view the asset details.
  • Action status. Execution status of the response action. The following values can be shown in this column:
    • Awaiting approval—Response action awaiting approval for launch.
    • In progress—Response action is in progress.
    • Success—Response action is completed without errors or warnings.
    • Warning—Response action is completed with warnings.
    • Error—Response action is completed with errors.
    • Terminated—Response action is completed because the user interrupted the execution.
    • Approval time expired—Response action is completed because the approval time for the launch has expired.
    • Rejected—Response action is completed because the user rejected the launch.
  • Playbook. Name of the playbook in which the response action was launched. You can click the link to view the playbook details.
  • Response action. Name of the response action that was performed.
  • Asset type. Type of asset for which the response action was launched. Possible values: Device or User.
  • Asset tenant. The tenant that is the owner of the asset for which the response action was launched.

Assigning alerts to analysts

As a work item, an alert can be assigned to an SOC analyst for inspection and possible investigation. You can change the assignee of an active alert at any time. You cannot change an assignee of a closed alert.

Alerts can be assigned only to analysts who have the access right to read and modify alerts and incidents.

To assign one or several alerts to an analyst:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Select the check boxes next to the alerts that you want to assign to an analyst.

   You must select only the alerts detected in the same tenant. Otherwise, the Assign to button will be disabled.

   Alternatively, you can assign an alert to an analyst from the alert details. To open the alert details, click the link with the alert ID you need.

3. Click the Assign to button.
4. In the Assign to analyst window that opens, start typing the analyst's name or email address, and then select the analyst from the list.

   You can also select the Not assigned option for all alerts, except alerts with the Closed status.

5. Click the Assign button.

The alerts are assigned to the analyst.

You also can assign an alert to an analyst by using playbooks.

Changing an alert status

Expand all | Collapse all

As a work item, an alert has a status that shows the current state of the alert in its life cycle.

You can change alert statuses for your own alerts or the alerts of other analysts only if you have the access right to read and modify alerts and incidents.

If the alert status is changed manually, playbooks will not launch automatically. You can launch a playbook for such an alert manually.

An alert can have one of the following statuses:

• New

  When Open Single Management Platform registers a new alert, the alert has the New status. You can change the status to In progress or Closed. When you change the New status to Closed, and the alert has no assignee, the alert is automatically assigned to you.

• In progress

  This status means that an analyst started working on the alert. You can change the In progress status to New or Closed.

• Closed

  True positive alerts are to be linked to incidents and be investigated within the incidents. When you close an incident, the linked alerts also gain the Closed status. You close an unlinked alert only as false positive or a low-priority alert. When you close an alert, you must select a resolution.

  The Closed status can only be changed to status New. If you want to return a closed alert back to active, change its status as follows: Closed → New → In progress.

  When you close an alert linked to an incident, the alert is automatically unlinked from the incident. If the alert that you are going to close has no assignee, the alert is automatically assigned to the analyst who closes the alert.

• In incident

  Alerts gain this status when they are linked to an incident. You cannot set this status manually. You can only set the Closed status to a linked alert. To set the New or In progress status, you first must unlink the alert from the incident.

To change the status of one or several alerts:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Do one of the following:
   • Select the check boxes next to the alerts whose status you want to change.
   • Click the link with the ID of the alert whose status you want to change.

     The Alert details window opens.

3. Click the Change status button.
4. In the Change status pane, select the status to set.

   If you select the Closed status, you must select a resolution.

   If you change the alert status to Closed and this alert contains uncompleted playbooks or response actions, all related playbooks and response actions will be terminated.

5. Click the Save button.

The status of the selected alerts is changed.

If an alert is added to the investigation graph, you can also change the alert status through the graph.

You also can change the alert status by using playbooks.

Creating alerts manually

You can create an alert manually from a set of events. You can use this functionality to examine a hypothetical incident that has not been detected automatically.

If the alert is created manually, playbooks will not launch automatically. You can launch a playbook for such an alert manually.

To create an alert manually:

1. In the main menu, go to Monitoring & reporting → Threat hunting.
2. Select the events for which you want to create an alert. The events should belong to the same tenant.
3. Click the Create alert button.

   A window shows up that displays the created alert. The Severity field value corresponds to the maximum severity among the selected events.

Manually created alerts have a blank Rules value in the Monitoring & reporting → Alerts table.

Linking alerts to incidents

You can link one or multiple alerts to an incident for the following reasons:

• Multiple alerts may be interpreted as indicators of the same issue in an organization's IT infrastructure. If this is the case, the alerts in the incident can be investigated as a single issue. You can link up to 200 alerts to an incident.
• A single alert may be linked to an incident if the alert is defined as true positive.

You can link an alert to an incident if the alert has any status other than Closed. When linked to an incident, an alert loses its current status and gains the special status In incident. If you link alerts that are currently linked to other incidents, the alerts are unlinked from the current incidents, because an alert can be linked to only one incident.

Alerts can only be linked to an incident that belongs to the same tenant.

Alerts can be linked to an incident manually or automatically.

Linking alerts manually

To link alerts to an existing or new incident:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. Select the check boxes next to the alerts that you want to link to an incident.
3. If you want to link alerts to an existing incident:
   1. Click the Link to incident button.
   2. Select an incident to link the alerts to.

   Alternatively, click an alert to display its details and click the Link to incident button in the toolbar at the top.

4. If you want to link alerts to a new incident:
   1. Click the Create incident button.
   2. Fill in the properties of the new incident: name, assignee, priority, and description.

   Alternatively, click an alert to display its details and click the Create incident button in the toolbar at the top.

5. Click the Save button.

The selected alerts are linked to an existing or new incident.

Linking alerts automatically

If you want alerts to automatically link to an incident, you have to configure segmentation rules.

Unlinking alerts from incidents

You might need to unlink an alert from an incident, for example, if the alert analysis and investigation showed that the alert is not connected to other alerts in the incident. When you unlink an alert from an incident, Open Single Management Platform performs the following actions:

• Refreshes all of the data related to the incident, to reflect that the alert no longer belongs to the incident. For example, you can view the changes in the incident details.
• Resets the status of the unlinked alerts to New.

To unlink an alert from an incident:

1. Open the alert details.
2. Click the Unlink from incident button in the toolbar at the top.

   The Unlink alerts window opens.

3. If you want to change the assignee, select Assign the alerts to, and then specify the new assignee.
4. If you want to add a comment, specify it in the Comment section. The comment you specify will be displayed in the Details column in the History section.

The selected alerts are unlinked from the incident.

Linking events to alerts

If during the investigation you found an event that is related to the alert being investigated, you can link this event to the alert manually.

You can link an event to an alert that has any status other than Closed.

To link an event to an alert:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the list of alerts, click the link with the ID of the alert to which you want to link the event.

   The Alert details window opens.

3. Go to the Details section, and then click the Find in Threat hunting button.

   The Threat hunting section opens. By default, the event table contains events related to the selected alert.

   The event table contains only events related to tenants that you have access to.

4. In the upper part of the window, open the first drop-down list, and then select Storage.
5. Open the third drop-down list, and then specify the time range.

   You can select predefined ranges relative to the current date and time, specify a custom range by using the Range start and Range end fields, or by selecting dates in the calendar.

6. Click the Run query button.
7. In the updated list of events, select an event that you want to link to the alert, and then click Link to alert.

The selected events are linked to the alert.

Unlinking events from alerts

You might need to unlink an event from an alert, for example, if the alert analysis and investigation showed that the event is not connected to the alert.

To unlink an event from an alert:

1. In the main menu, go to Monitoring & reporting → Alerts.
2. In the list of alerts, click the link with the ID of the alert from which you want to unlink the event.

   The Alert details window opens.

3. In the Details section, select the events that you want to unlink, and then click the Unlink from alert button.

The selected event are unlinked from the alert.

Editing alerts by using playbooks

Expand all | Collapse all

Kaspersky Next XDR Expert allows you to edit incidents manually or by using playbooks. When creating a playbook, you can configure the playbook algorithm to edit the alert properties.

To edit an alert by using a playbook, you must have one of the following XDR roles: Main administrator, SOC administrator, Tier 1 analyst, Tier 2 analyst, or Tenant administrator.

You cannot edit alerts that have the Closed status.

You can edit the following alerts properties by using the playbook:

• Assignee
• Alert status
• Comment
• ExternalReference attribute
• Additional data attribute

Examples of the expressions that you can use in the playbook algorithm to edit the alert properties:

• Assigning an alert to a user
  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "assignAlert", "params": { "assignee": { "id": "user_ID" } } } } } ] }

  When you edit an assignee in the playbook algorithm, suggestions are displayed. For convenience, the suggestions contain a search string where you can search by name. If you want to specify an incident assignee, you can search the corresponding record by the user's name, and the ID will be specified in the algorithm.

• Unassigning an alert from a user
  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "assignAlert", "params": { "assignee": { "id": "nobody" } } } } } ] }
• Changing the alert status

  To change the alert status to In progress:

  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setAlertStatus", "params": { "status": "inProgress" } } } } ] }

  To change the alert status to Closed:

  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setAlertStatus", "params": { "status": "closed", "statusResolution": "truePositive" } } } } ] }

  You can also specify the following values for the statusResolution parameter: falsePositive and lowPriority.

  When you edit an alert status in the playbook algorithm, the following suggestions can be displayed: new, inProgress, closed.

• Adding a comment to an alert
  "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "addCommentToAlert", "params": { "text": "${ \"New comment for alert with ID: \" + alert.InternalID }" } } } } ] }
• Editing the ExternalReference attribute
  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "setAlertExternalRef", "params": { "externalRef": "${ \"Appended externalRef for alert with ID: \" + alert.InternalID }", "mode": "append" } } } } ] }

  To replace the current value of the ExternalReference attribute in the alert with the value from the playbook, specify the replace value for the mode parameter.

• Editing the Additional data attribute
  { "dslSpecVersion": "1.1.0", "version": "1", "actionsSpecVersion": "1", "executionFlow": [ { "action": { "function": { "type": "addAlertAdditionalData", "params": { "data": "${ {\"customKey_1 (alert.InternalID)\": (\"customValue_1 (\" + alert.InternalID + \")\" )} }", "mode": "append" } } } } ] }

  To replace the current value of the AdditionalData attribute in the alert with the value from the playbook, specify the replace value for the mode parameter.

Working with alerts on the investigation graph

On the investigation graph, you can perform the following actions with alerts:

• Add an alert to the graph.
• Hide an alert from the graph.
• View an alert details by selecting the corresponding item from the context menu of the alert node.
• Change an alert status.
• View events related to an alert.
• View assets related to an alert.
• View observables related to an alert.

Adding alerts to the investigation graph

You can add an alert to the investigation graph in one of the of the following ways:

• From the general table of alerts that opens when you click the Add alert button on the investigation graph. You have to select the check boxes next to the alerts that you want to be displayed on the investigation graph, and then click the Show on graph button.
• From the table of similar alerts.

To add an alert to the investigation graph from the table of similar alerts:

1. Do one of the following:
   • If on the investigation graph you have an asset, observable, or segmentation rule, click its node, and then in the context menu, click Find similar alerts.
   • If on the investigation graph you have an event, click its node, and then in the context menu, click View details. In the window that opens, click the Show on graph button.
   • If on the investigation graph you have an alert, click its node, and in the context menu, click Events. In the table of events, click the event whose details you want to open. If the event details contain an observable, asset, or segmentation rule, click the link in the corresponding field, and then in the context menu, click Find similar alerts.
   • On the investigation graph, click the Threat hunting button, and then in the general table of events, click the event whose details you want to open. If the event details contain an observable, asset, or segmentation rule, click the link in the corresponding field, and then in the context menu, click Find similar alerts.

   The table of similar alerts is displayed.

2. Select the check boxes next to the alerts that you want to be displayed on the investigation graph, and then click the Show on graph button.

The selected alerts are added to the investigation graph.

Hiding alerts from the investigation graph

You can hide an alert from the investigation graph in one of the following ways:

• By clicking the alert node and selecting Hide in the context menu.
• Through the table of alerts.

To hide an alert from the graph through the table of alerts:

1. Do one of the following:
   • In the toolbar at the top of the investigation graph, click the Add alert button.
   • If you have observables, assets, or events nodes displayed on the graph, click the node for which you want to add an alert, and then in the context menu, select Find similar alerts.

   The table of alerts is displayed.

2. Select the check boxes next to the alerts that you want to hide from the investigation graph, and then click the Show on graph button.

The selected alerts and their links will be hidden from the investigation graph. The related nodes remain on the investigation graph.

Changing an alert status

To change an alert status:

1. Click the alert node, and in the context menu, select Change status.
2. In the Change status pane that opens, select the status, and then click Save.

   If you select the Closed status, you must select a resolution.

The status of the selected alerts is changed.

Viewing the events related to an alert

To view events related to an alert, do one of the following:

• Click the digit next to the alert node for which you want to display the events. The digit shows the number of events related to the alert.
• Click the alert node for which you want to display the events, and then in the context menu, click Events.

If you want to add the events from the table to the investigation graph, select the check boxes next to the events, and then click the Show on graph button.

If you want to hide the events from the investigation graph, select the check boxes next to the events, and then click the Hide on graph button.

Viewing assets related to an alert

To view assets related to an alert, click the alert node.

In the context menu, the digits next to the Devices and Users items show the number of devices and users related to the alert.

If you want to add devices or users to the investigation graph, click the corresponding menu item.

Viewing observables related to an alert

To view observables related to an alert, click the alert node, and in the context menu, click Events.

In the menu that opens, the digits next to the items show the number of observables relate related to the alert.

If you want to add an observable (for example, Hash, Domain, IP address) to the investigation graph, click the corresponding menu item.

Aggregation rules

You can use aggregation rules to combine correlation events into alerts. We recommend that you use segmentation rules together with aggregation rules to define more precise rules for creating incidents.

The default Kaspersky Next XDR Expert behavior is to combine events that have the same rule identifier with the following limitations:

• By time, within 30 seconds
• By the number of events, 100
• By the number of assets, 100
• By the number of observables, 200
• By total size of events, 4 MB

You can use REST API to customize aggregation rules.

Aggregation rules. Example

The table below illustrates how to perform penetration testing with predetermined IP and user accounts.

Rule 1. Penetration testing by IP

Rule 2. Penetration testing by user account

Rule 3. Aggregation rule

Aggregation and segmentation rules. Example

The table below illustrates how to combine alerts that have the same rule id in two incidents based on the user name prefix.

Aggregation rule

Segmentation rule