Alert segmentation rules

In KUMA, you can configure segmentation rules for alerts, that is, you can create separate alerts with certain conditions. This can be useful when the correlator groups the same type of correlation events into one common alert, but you want separate alerts to be generated based on some of these events, which differ from others for some important reason.

Segmentation rules are created separately for each tenant. They are displayed in the KUMA web interface under SettingsAlertsSegmentation rules in a table containing the following columns:

To create an alert segmentation rule:

  1. In the KUMA web interface, go to SettingsAlertsSegmentation rules.
  2. Select the tenant for which you would like to create a segmentation rule:
    • If the tenant already has segmentation rules, select it in the table.
    • If the tenant has no segmentation rules, click Add tenant and select the relevant tenant from the Tenant drop-down list.
  3. In the Segmentation rules settings block, press Add and specify the segmentation rule settings:
    • Name (required)—specify the segmentation rule name in this field.
    • Correlation rule (required)—in this drop-down list, select the correlation rule whose events you want to highlight in a separate alert.
    • Selector (required)—in this settings block, you need to specify a condition under which the segmentation rule will be triggered. The conditions are specified in a way similar to filters.
  4. Click Save.

The alert segmentation rule is created. Events matching these rules will be combined into a separate alert with the name of the segmentation rule.

To turn off the segmentation rules:

  1. Open the SettingsAlerts section of the KUMA web interface and select the tenant whose segmentation rules you want to disable.
  2. Select the Disabled check box.
  3. Click Save.

The segmentation rules for the alerts of the selected tenant are disabled.

Page top