In KUMA, you can configure segmentation rules for alerts, that is, you can create separate alerts with certain conditions. This can be useful when the correlator groups the same type of correlation events into one common alert, but you want separate alerts to be generated based on some of these events, which differ from others for some important reason.
Segmentation rules are created separately for each tenant. They are displayed in the Settings → Alerts section of the KUMA web interface in a table with the following columns:
Tenant—the name of the tenant that owns the segmentation rules.
Updated—date and time of the last update of the segmentation rules.
Disabled—this column displays a label if the segmentation rules are turned off.
To create an alert segmentation rule:
Open the Settings → Alerts section in the KUMA web interface.
Select the tenant for which you would like to create a segmentation rule:
The tenant already has segmentation rules. Select it in the table.
If the tenant does not have segmentation rules, click Add and select the relevant tenant from the Tenant drop-down list.
In the Segmentation rules settings block, press Add and specify the segmentation rule settings:
Name (required)—specify the segmentation rule name in this field.
Correlation rule (required)—in this drop-down list, select the correlation rule whose events you want to highlight in a separate alert.
Selector (required)—in this settings block, you need to specify a condition under which the segmentation rule will be triggered. The conditions are specified in a way similar to filters.
Click Save.
The alert segmentation rule is created. Events matching these rules will be combined into a separate alert with the name of the segmentation rule.
To turn off the segmentation rules:
Open the Settings → Alerts section of the KUMA web interface and select the tenant whose segmentation rules you want to disable.
Select the Disabled check box.
Click Save.
The segmentation rules for the alerts of the selected tenant are disabled.