Filtering alerts

In KUMA, you can perform alert selection by using the filtering and sorting tools in the Alerts section.

The filter configuration can be saved. Existing filter configurations can be deleted.

Configuring alerts table

The main part of the Alerts section shows a table containing information about registered alerts. You can click column titles to open drop-down lists with tools for filtering alerts and configuring alert table:

• Priority ()—shows the importance of a possible security threat: Critical , High , Medium , or Low .
• Name—alert name.

  If Overflowed tag is displayed next to the alert name, it means the alert size has reached or is about to reach the limit and should be processed as soon as possible.

• Status—current status of an alert:
  • New—a new alert that hasn't been processed yet.
  • Assigned—the alert has been processed and assigned to a security officer for investigation or response.
  • Closed—the alert was closed. Either it was a false alert, or the security threat was eliminated.
  • Escalated—an incident was generated based on this alert.
• Assigned to—the name of the security officer the alert was assigned to for investigation or response.
• Incident—name of the incident to which this alert is linked.
• First seen—the date and time when the first correlation event of the event sequence was created, triggering creation of the alert.
• Last seen—the date and time when the last correlation event of the event sequence was created, triggering creation of the alert.
• Categories—categories of alert-related assets with the highest severity. No more than three categories are displayed.
• Tenant—the name of the tenant that owns the alert.

In the Search field, you can enter a regular expression for searching alerts based on their related assets, users, tenants, and correlation rules. Parameters that can be used for a search:

• Assets: name, FQDN, IP address.
• Active Directory accounts: attributes displayName, SAMAccountName, and UserPrincipalName.
• Correlation rules: name.
• KUMA users who were assigned alerts: name, login, email address.
• Tenants: name.

When filtering alerts based on a specific parameter, the corresponding header of the alerts table is highlighted in yellow.

Saving and selecting alert filter configurations

In KUMA, you can save changes to the alert table settings as filters. Filter configurations are saved on the KUMA Core server and are available to all KUMA users of the tenant for which they were created.

To save the current filter configuration settings:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Select Save current filter.

   A field will appear for entering the name of the new filter and selecting the tenant that will own it.

3. Enter a name for the filter configuration. The name must be unique for alert filters, incident filters, and event filters.
4. In the Tenant drop-down list, select the tenant that will own the filter and click Save.

The filter configuration is now saved.

To select a previously saved filter configuration:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Select the configuration you want.

The filter configuration is now active.

You can select the default filter by putting an asterisk to the left of the required filter configuration name in the Filters drop-down list.

To reset the current filter settings:

Open the Filters drop-down list and select Clear filters.

Deleting alert filter configurations

To delete a previously saved filter configuration:

1. In the Alerts section of KUMA open the Filters drop-down list.
2. Click the button near configuration you want to delete.
3. Click OK.

The filter configuration is now deleted for all KUMA users.