Processing alerts

You can change the alert severity, assign an alert to a user, close the alert, or create an incident based on the alert.

To process an alert:

Select required alerts using one of the methods below:
- In the Alerts section of the KUMA web interface, click the alert whose information you want to view.
  The Alert window opens and provides an alert processing toolbar at the top.
- In the Alerts section of the KUMA web interface, select the check box next to the required alert. It is possible to select more than one alert.
  Alerts with the closed status cannot be selected for processing.
  
  A toolbar will appear at the bottom of the window.
If you want to change the severity of an alert, select the required value in the Priority drop-down list:
- Low
- Medium
- High
- Critical
The severity of the alert changes to the selected value.
If you want to assign an alert to a user, select the relevant user from the Assign to drop-down list.
You can assign the alert to yourself by selecting Me.

The status of the alert will change to Assigned and the name of the selected user will be displayed in the Assign to drop-down list.
In the Related users section, select a user and configure Active Directory response settings.
1. After the related user is selected, in the Account details window that opens, click Response via Active Directory.
2. In the AD command drop-down list, select one of the following values:
  - Add account to group
    The Active Directory group to move the account from or to.
    In the mandatory field Distinguished name, you must specify the full path to the group.
    For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru.
    Only one group can be specified within one operation.
  - Remove account from group
    The Active Directory group to move the account from or to.
    In the mandatory field Distinguished name, you must specify the full path to the group.
    For example, CN = HQ Team, OU = Groups, OU = ExchangeObjects, DC = avp, DC = ru.
    Only one group can be specified within one operation.
  - Reset account password
  - Block account
3. Click Apply.
If required, create an incident based on the alert:
1. Click Create incident.
  The window for creating an incident will open. The alert name is used as the incident name.
2. Update the desired incident parameters and click the Save button.
The incident is created, and the alert status is changed to Escalated. An alert can be unlinked from an incident by selecting it and clicking Unlink.
If you want to close the alert:
1. Click Close alert.
  A confirmation window opens.
2. Select the reason for closing the alert:
  - Responded. This means the appropriate measures were taken to eliminate the security threat.
  - Incorrect data. This means the alert was a false positive and the received events do not indicate a security threat.
  - Incorrect correlation rule. This means the alert was a false positive and the received events do not indicate a security threat. The correlation rule may need to be updated.
3. Click OK.
The status of the alert is changed to Closed. Alerts with this status are no longer updated with new correlation events and aren't displayed in the alerts table unless the Closed check box is selected in the Status drop-down list in the alerts table. You cannot change the status of a closed alert or assign it to another user.

Page top