Widgets in KUMA are used to obtain analytics for the Dashboard and Reports.
Click on the title or legend of widgets for events, alerts, incidents, or active lists, to open the corresponding section of the KUMA web interface containing the widget data obtained using the section's filters and/or a search query. See below for more details. This functionality is not available while creating or editing layouts.
If the widget is configured to divide the analytics period into segments, the values or charts will be displayed in pairs: the analytics for the current segment of the period (custom color) and the analytics for the previous segment of the period (gray).
Widgets are organized into widget groups, each one related to the analytics type they provide. The following widget groups and widgets are available in KUMA:
Events—widget for creating analytics based on events.
Click on the title of this widget to go to the Events section of the KUMA web interface. The SQL query specified in the widget is used to request events from the widget. The query is specified without grouping (except for table graphs) but takes into account the conditions indicated in the WHERE parameter. The LIMIT parameter in a query is equal to 250.
Active lists—widget for creating analytics based on active lists of correlators.
Click the title of this widget to go to the section of the active list used to build the analytics of the widget.
Alerts—group for analytics related to alerts. Click on the title or legend of widgets in this group to go to the Alerts section of the KUMA web interface and view the widget data in detail.
The group includes the following widgets:
Active alerts—number of alerts that have not been closed.
Active alerts by tenant—number of unclosed alerts grouped by tenant.
Alerts by tenant—number of alerts of all statuses, grouped by tenant.
Unassigned alerts—number of alerts that have the New status.
Alerts by assignee—number of assigned alerts grouped by their executor.
Alerts by status—number of alerts grouped by status.
Alerts by severity—number of unclosed alerts grouped by their severity.
Alerts by rule—number of unclosed alerts grouped by correlation rule. For this widget, you cannot obtain detailed information by clicking on the widget title.
Latest alerts—table containing the last 10 unclosed alerts. If there are more than 10 alerts in tenants selected in the widget, some of them will not be displayed.
Alerts distribution—number of alerts created during the period indicated in the widget.
Assets—group for analytics related to assets from processed events. This group includes the following widgets:
Affected assets—table of alert-related assets showing the severity of the asset and the number of unclosed alerts related to it.
Affected asset categories—categories of assets linked to unclosed alerts.
Number of assets—number of assets that were added to KUMA.
Assets in incidents by tenant—number of assets in unclosed incidents, grouped by tenant.
Assets in alerts by tenant—number of assets in unclosed alerts, grouped by tenant.
Incidents—group for analytics related to incidents. Click on the title or legend of widgets in this group to go to the Incidents section of the KUMA web interface and view the widget data in detail.
The group includes the following widgets:
Active incidents—number of incidents that have not been closed.
Unassigned incidents—number of incidents that have the Opened status.
Incidents distribution—number of incidents created during the period indicated in the widget.
Incidents by assignee—number of incidents that have the Assigned status grouped by KUMA user.
Incidents by status—number of incidents grouped by status.
Incidents by severity—number of unclosed incidents grouped by their severity. Available types of diagrams: pie chart, bar graph.
Active incidents by tenant—number of unclosed incidents grouped by tenant available to the user.
All incidents—number of incidents of all statuses.
All incidents by tenant—number of incidents of all statuses, grouped by tenant.
Affected assets in incidents—number of assets in unclosed incidents. For this widget, you cannot obtain detailed information by clicking on the widget title.
Affected assets categories in incidents—categories of the assets affected by unclosed incidents. Available types of diagrams: pie chart, bar graph. For this widget, you cannot obtain detailed information by clicking on the widget title.
Affected users in incidents—users affected by incidents. Available types of diagrams: table, pie chart, bar graph. For this widget, you cannot obtain detailed information by clicking on the widget title.
Latest incidents—last 10 unclosed incidents. If there are more than 10 incidents in tenants selected in the widget, some of them will not be displayed.
Event sources—group for analytics related to sources of events. The group includes the following widgets:
Top event sources by alerts number—number of unclosed alerts grouped by event source.
Top event sources by convention rate—number of events that have an unclosed alert grouped by event source.
Due to optimized storage of events in alerts, the number of alerts created by event sources may be distorted in some cases. To obtain accurate statistics, it is recommended to specify the Device Product event field as unique in the correlation rule, and enable storage of all base events in a correlation event. However, correlation rules with these settings consume more resources.
Users—group for analytics related to users from processed events. The group includes the following widgets:
Affected users in alerts—number of users related to unclosed alerts.
Number of AD users—number of Active Directory accounts received via LDAP during the period indicated in the widget.