In KUMA, you can configure alert segmentation rules, that is, the rules for dividing similar correlation events into different alerts.
By default, if a correlation rule is triggered several times in the correlator, all correlation events created as a result of the rule triggering are attached to the same alert. Alert segmentation rules allow you to define the conditions under which different alerts are created based on the correlation events of the same type. This can be useful, for example, to divide the stream of correlation events by the number of events or to combine several events having an important distinguishing feature into a separate alert.
Alert segmentation is configured in two stages: