Configuring alerts table

The main part of the Alerts section shows a table containing information about registered alerts. You can click column titles to open drop-down lists with tools for filtering alerts and configuring alert table:

Priority ()—shows the importance of a possible security threat: Critical , High , Medium , or Low .
Name—alert name.
If Overflowed tag is displayed next to the alert name, it means the alert size has reached or is about to reach the limit and should be processed as soon as possible.
Status—current status of an alert:
- New—a new alert that hasn't been processed yet.
- Assigned—the alert has been processed and assigned to a security officer for investigation or response.
- Closed—the alert was closed. Either it was a false alert, or the security threat was eliminated.
- Escalated—an incident was generated based on this alert.
Assigned to—the name of the security officer the alert was assigned to for investigation or response.
Incident—name of the incident to which this alert is linked.
First seen—the date and time when the first correlation event of the event sequence was created, triggering creation of the alert.
Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
Categories—categories of alert-related assets with the highest priority. No more than three categories are displayed.
Tenant—the name of the tenant that owns the alert.

In the Search field, you can enter a regular expression for searching alerts based on their related assets, users, tenants, and correlation rules. Parameters that can be used for a search:

Assets: name, FQDN, IP address.
Active Directory accounts: attributes displayName, SAMAccountName, and UserPrincipalName.
Correlation rules: name.
KUMA users who were assigned alerts: name, login, email address.
Tenants: name.

When filtering alerts based on a specific parameter, the corresponding header of the alerts table is highlighted in yellow.

Page top