Viewing details on an alert
To view details on an alert:
- In the program web interface window, select the Alerts section.
The alerts table is displayed.
- Click the name of the alert whose details you want to view.
This opens a window containing information about the alert.
The upper part of the alert details window contains a toolbar and shows the alert severity and the user name to which the alert is assigned. In this window, you can process the alert: change its severity, assign it to a user, and close and create an incident based on the alert.
Details on alert section
This section lets you view basic information about an alert. It contains the following data:
- Correlation rule priority—the priority of the correlation rule that triggered the creation of the alert.
- Max asset category priority—the highest priority of an asset category assigned to assets related to this alert. If multiple assets are related to the alert, the largest value is displayed.
- Linked to incident—if the alert is linked to an incident, the name and status of the alert are displayed.
- First seen—the date and time of creation of the first correlation event in the event sequence that triggered creation of the alert.
- Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
- Alert ID—the unique identifier of an alert in KUMA.
- Tenant—the name of the tenant that owns the alert.
- Correlation rule—the name of the correlation rule that triggered the creation of the alert. The rule name is represented as a link that can be used to open the settings of this correlation rule.
- Overflowed—this tag means that the alert size has reached or will soon reach the limit of 16 MB and the alert must be processed as soon as possible. New events are not added to the overflowed alerts, but you can click the All possible related events link to filter all events that could be related to the alert if there were no overflow.
Related events section
This section contains a table of events related to the alert. If you click 
icon near the correlation rule, the base events from this correlation rule will be displayed. Events can be sorted by priority and time.
Selecting an event in the table opens the details area containing information about the selected event. The details area also displays the Detailed view button, which opens a window containing information about the correlation event.
The Find in events links below correlation events and the Find in events button to the right of the section header are used for drilldown analysis.
You can use the Download events button to download information about related events into a CSV file (in UTF-8 encoding). The file contains columns that are populated in at least one related event.
Some CSV file editors interpret the separator value (for example, \n) in the CSV file exported from KUMA as a line break, not as a separator. This may disrupt the line division of the file. If you encounter a similar issue, you may need to additionally edit the CSV file received from KUMA.
Related endpoints section
This section contains a table of hosts related to the alert. Host information comes from events that are related to the alert. You can search for endpoints by using the Search for IP addresses or FQDN field. Assets can be sorted using the Count and Endpoint columns.
This section also displays the assets related to the alert. Clicking the name of the asset opens the Asset details window.
You can use the Download assets button to download information about related assets into a CSV file (in UTF-8 encoding). The following columns are available in the file: Count, Name, IP address, FQDN, Categories.
Related users section
This section contains a table of users related to the alert. User information comes from events that are related to the alert. You can search for users using the Search for users field. Users can be sorted by the Count, User, User principal name and Email columns.
You can use the Download users button to download information about related users into a CSV file (in UTF-8 encoding). The following columns are available in the file: Count, User, User principal name, Email, Domain.
Change log section
This section contains entries about changes made to the alert by users. Changes are automatically logged, but it is also possible to add comments manually. Comments can be sorted by using the Time column.
If necessary, you can enter a comment for the alert in the Comment field and click Add to save it.