Alert window

In this window you can take a closer look at a specific alert and all the data related to it.

To see alert details,

In the Alerts section of the KUMA web interface, click the alert whose information you want to view.

The alert window opens with the alert name displayed in the top left corner of the window.

The upper part of the alert details window contains a toolbar and shows the alert priority and the user name to which the alert is assigned. Here you can process the alert: change its priority, assign it to a user, and close and create an incident using it.

The Details on alert section of the alert window contains the following data:

• Correlation rule priority—the priority of the correlation rule that triggered the creation of this alert.
• Max asset category priority—the highest priority of an asset category assigned to assets related to this alert. If multiple assets are related to the alert, the largest value is displayed.
• Linked to incident—if the alert is linked to an incident, its name and status are displayed here.
• First seen—the date and time when the first correlation event of the event sequence was created, triggering creation of the alert.
• Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
• Alert ID—the unique identifier of an alert in KUMA.
• Tenant—the name of the tenant that owns the alert.
• Correlation rule—the name of the correlation rule that triggered the creation of this alert. The rule name is represented as a link that can be used to open the settings of this correlation rule.
• Overflowed—this tag means that the alert size has reached or will soon reach the limit and should be processed as soon as possible. Events are not added to the overflowed alerts, but you can get selection of the events that would be related to the alert if there were no alert size limit by clicking the All possible related events link.

The Related events section of the alert window contains the table of events related to the alert. If you click icon near the correlation rule, the base events from this correlation rule will be displayed. Events can be sorted by priority and time.

When an event is selected, the details area opens in the right part of the web interface window. This area contains information about the selected event. If a correlation event is selected, this area also contains the Detailed view button that opens the correlation event window.

The Find in events links below correlation events and the Find in events button to the right of the section header are used for drilldown analysis.

The Related endpoints section of the alert window contains the table of hosts related to the alert. This information comes from events that are related to the alert. You can search for endpoints by using the Search for IP addresses or FQDN field. Endpoints can be sorted using the Count and the Endpoint columns.

If assets are related to the alert, they are displayed in this section. Clicking the name of the asset opens the Asset details window.

The Related users section of the alert window contains the table of users related to the alert. This information comes from events that are related to the alert. You can search for users using the Search for users field. Users can be sorted by the Count, User, User principal name and Email address columns.

The Change log section of the alert window contains entries about changes made to the alert by users. Changes are automatically logged, but it is also possible to add comments manually. Comments can be sorted by using the Time column.

To add a comment to an alert,

In the alert window, enter the comment to the Comment field and click Add.

Page top