Alerts are created when a sequence of events is received that triggers a correlation rule. You can find more information about alerts in this section.
In the Alerts section of the KUMA web interface, you can view and process the alerts registered by the application. Alerts can be filtered. When you click the alert name, a window with its details opens.
The alert date format depends on the localization language selected in the application settings. Possible date format options:
Alert life cycle
Below is the life cycle of an alert:
Alerts with the New status continue to be updated with data when correlation rules are triggered. If the alert status changes, the alert is no longer updated with new events, and if the correlation rule is triggered again, a new alert is created.
Filling alerts with events
By default, the number of events associated with an alert cannot exceed 10,000. When the number of events associated with the alert reaches 10,000, a new alert is created with the same name, but with a new ID. You can view the alert ID in the alert details. If necessary, you can change this value in the properties of the segmentation rule in the Correlation events limit field. For this to work, the segmentation rule must be enabled and linked to the alert correlation rules of the tenant.
Alert segmentation
Using the segmentation rules, the stream of correlation events of the same type can be divided to create more than one alert.