Creating a segmentation rule

Alert segmentation rules are used to divide correlation events of the same type among different alerts. Conditions for correlation events for which separate alerts must be generated are specified in the segmentation rules.

To create a segmentation rule:

1. In the KUMA web interface, go to Resources → Segmentation rules, select a tenant and click the Create new button.

   This opens the Create segmentation rule window.

2. In the Name field, enter a name for the segmentation rule. The name must be unique and contain 1 to 128 Unicode characters.
3. If necessary, in the Tenant drop-down list, change the tenant to which the segmentation rule belongs.
4. In the Type drop-down list, specify the type of the segmentation rule. Available values:
   • By filter—an alert is created if the correlation events match the filter conditions specified in the Filter group of settings.

     You can use the Add condition button to add a string containing fields for identifying the condition. You can use the Add group button to add a group of filters. Group operators can be switched between AND, OR, and NOT. You can add other condition groups and individual conditions to filter groups. You can swap conditions and condition groups by dragging them by the icon; you can also delete them using the icon. You can use operands and operators to specify conditions:

     • Left operand and Right operand—used to specify the values to be processed by the operator.

       The left operand contains the names of the event fields that are processed by the filter.

       For the right-hand operand, you can select the type of the value: constant or list and specify the value.

     • Available operators
       • =—the left operand equals the right operand.
       • <—the left operand is less than the right operand.
       • <=—the left operand is less than or equal to the right operand.
       • >—the left operand is greater than the right operand.
       • >=—the left operand is greater than or equal to the right operand.
       • inSubnet—the left operand (IP address) is in the subnet of the right operand (subnet).
       • contains—the left operand contains values of the right operand.
       • startsWith—the left operand starts with one of the values of the right operand.
       • endsWith—the left operand ends with one of the values of the right operand.
       • match—the left operand matches the regular expression of the right operand. The RE2 regular expressions are used.

     You can also add a filter in code mode. To do this, go to the Code tab in the Filter section and specify the filter in the input field. When entering parameter values, autocompletion is supported in the form of a list of hints. To display the list of all hints in the field, press Ctrl+Space.

     Note that the code mode allows you to use all possible values for rules in KUMA in the list of hints. Some of these values may not be valid for segmentation rules (for example, activelist, dictionary, hasbit).

   • By identical fields—an alert is created if the correlation event contains the event fields specified in the Correlation rule identical fields drop-down list.

     You can select identical fields from the Correlation rule identical fields field by selecting check boxes. You can remove added fields by clicking the X icon next to the name of the identical field.

     Example of grouping fields usage

     A rule that detects a network scan generates only one alert, even if there are multiple devices that scan the network. If you create an alert segmentation rule based on the SourceAddress event grouping field and then bind this segmentation rule to a correlation rule, alerts are created for each address from which a scan is performed when the rule is triggered.

     In this example, if the correlation rule name is "Network. Possible port scan", and the "from {{.SourceAddress}}" value is specified as the alert naming template in the segmentation rule resource, alerts are created that look like this:

     • Network. Possible port scan (from 10.20.20.20)
     • Network. Possible port scan (from 10.10.10.10)
   • By event limit—an alert is created if the number of correlation events in the previous alert exceeds the value specified in the Correlation events limit field.
5. In the Alert naming template field, specify the template to be used for naming alerts generated by this segmentation rule. The default value is {{.Timestamp}}. In the template field, you can specify text, as well as event fields in the {{.<Event field name>}} format. When generating the alert name, the value of the event field is substituted instead of the event field name. The name of the alert created using the segmentation rules has the following format: <Name of the correlation rule that created the alert> <text from the alert naming template field> <value of the specified event field>. For example, if the triggered correlation rule name is named "Connection. Insecure port usage", and the segmentation rule name template contains {{.Timestamp}}, alerts of the following form are created:
   • Connection. Insecure port usage (Tue, 29 Jul 2025 07:56:43 UTC)
   • Connection. Insecure port usage (Tue, 29 Jul 2025 07:59:46 UTC)

   If multiple segmentation rules are executed with different alert naming templates, they are listed in the alert name separated by the "|" character.

6. If necessary, in the Tags drop-down list, select the tags for the event segmentation rule.
7. If necessary, enter a description of the segmentation rule in the Description field. You can enter up to 4,000 Unicode characters.

The segmentation rule is created. Next, you need to link the segmentation rule to a correlation rule.

Page top