Viewing incidents from descendant nodes

If hierarchy mode is enabled, you can view the Incidents section to inspect the incidents that were created on child nodes and their descendants. The incidents table displays the Branch column, which can be used to filter incidents based on the nodes in which they were created. By default, the incidents table displays the incidents that were created on your node.

To select the nodes whose incidents you want to view:

In the KUMA web interface, open the Incidents section.
Click the header of the Branch column and click the icon in the opened window.
The right side of the window will display the details area containing the hierarchical structure of the organization. You can use the button to expand or collapse all branches of the structure, or select all KUMA nodes.
Select the relevant nodes and click Save.

The incidents table displays the incidents that were created on the nodes that you selected.

When you click an incident, a window opens with detailed information about the incident. The data is read-only. An incident from another node cannot be edited or processed.

Special considerations when viewing data on an incident created on a different node:

The Related alerts section of the incident window contains information only if the child node is configured to forward data on incident-related alerts to the parent node.
When you click on the name of an incident-related alert, a window opens with detailed information about this alert. This data is also read-only. An alert from another node cannot be edited or processed.
The Related events section in the window of an alert related to an incident of another node contains information only if the child node is configured to forward data on incident-related events to the parent node.
In this case, you can use the Find in events button to open the events table and search for relevant events. However, you cannot select the storage, and there are limitations applied to SQL queries when searching events in drilldown analysis mode. This mode employs data enrichment (for example, using Kaspersky Threat Intelligence Portal, Kaspersky CyberTrace or Active Directory). The results of Kaspersky Threat Intelligence Portal data enrichment performed on child nodes are not available on parent nodes.