Drilldown analysis

Drilldown analysis is used when you need to find more information about the threat an alert is warning you about: is the threat real, where's it coming from, what network environment elements are affected by it, how should the threat be dealt with. Studying the events related to the correlation events that triggered an alert can help you determine the course of action.

The drilldown mode is enabled in KUMA when you click the Find in events link in the alert window or the correlation event window. When the drill-down mode is enabled, the events table is shown with filters automatically set to match the events from the alert or correlation event. The filters also match the time period of the alert duration or the time when the correlation event was registered. You can change these filters to find other events and learn more about the processes related to the threat.

An additional drop-down list becomes available in drilldown mode:

• All events—view all events.
• Related to alert (selected by default)—view only events related to the alert.

  When filtering events related to an alert, SQL query complexity is limited.

You can manually link events to alerts. Only events that are not related to the alert can be linked to it.

You can create and save event filter configuration in drilldown mode. When using this filter outside of drilldown mode, all events that match the filter criteria will be selected disregarding whether or not they are related to the alert that was selected for drilldown analysis.

To link a base event to an alert:

1. In the Alerts section of the KUMA web interface, click the alert that you want to link to the event.

   The Alert window opens.

2. In the Related events section click the Find in events button.

   The events table opens with active filters matching the data and period of events related to the alert, and columns show the settings used by the correlation rule to create the alert. The Link to alert column is also added to the events table showing the events linked to the alert.

3. In the drop-down list select All events.
4. Modify the filters to find the event you want to link to the alert.
5. Select the event you want, and click the Link to alert button at the bottom of the event details area.

The event will be linked to the alert. You can unlink this event from the alert by clicking in the Unlink from alert detailed view.

When the event is linked or unlinked from the alert, the Change log entry is added in the Alert window. You can click the link in this entry and in the opened event details area link or unlink the event using the Link to alert and Unlink from alert buttons.

Page top