Processing alerts

You can change the alert severity, assign an alert to a user, close the alert, or create an incident based on the alert.

To process an alert:

  1. Select required alerts using one of the methods below:
    • In the Alerts section of the KUMA web interface, click the alert whose information you want to view.

      The Alert window opens with the alert processing toolbar at the very top.

    • In the Alerts section of the KUMA web interface, select the check box next to the required alert. It is possible to select more than one alert.

      Alerts with the closed status cannot be selected for processing.

      The action toolbar appears at the bottom of the window.

  2. If you want to change the priority of an alert, select the required value in the Priority drop-down list:
    • Low
    • Medium
    • High
    • Critical

    The priority of the alert changes to the selected value.

  3. If you want to assign an alert to a user, select the relevant user from the Assign to drop-down list.

    You can assign the alert to yourself by selecting Me.

    The status of the alert changes to Assigned and the name of the selected user is displayed in the Assign to drop-down list.

  4. Create an incident based on the alert:
    1. Click Create incident.

      The window for creating an incident will open. The alert name is used as the incident name.

    2. Update the desired incident parameters and click the Save button.

    The incident is created, and the alert status is changed to Escalated. An alert can be unlinked from an incident by selecting it and clicking Unlink.

  5. If you want to close the alert:
    1. Click Close alert.

      A confirmation window opens.

    2. Select the reason for closing the alert:
      • Responded. This means the appropriate measures were taken to eliminate the security threat.
      • Incorrect data. This means the alert was a false positive and the received events do not indicate a security threat.
      • Incorrect correlation rule. This means the alert was a false positive and the received events do not indicate a security threat. The correlation rule may need to be updated.
    3. Click OK.

    The status of the alert changes to Closed. Alerts with this status are no longer updated with new correlation events and aren't displayed in the alerts table unless the Closed check box is selected in the Status drop-down list in the alerts table. You cannot change the status of a closed alert or assign it to another user.

Page top