Skip to content
KYRA MDR KYRA MDR Docs

Detections (Alerts)

The Detections page is the primary alert management interface. Alerts are generated automatically by the Detection Engine running 153+ rules against syslog and network flow data, or from external sources (SIEM, EDR, NDR connectors).

Alert Sources

SourceDescriptionVolume
detection-engineAuto-generated by detection rules matching OpenSearch events/flows~30 new alerts/cycle
siemAlerts from connected SIEM platformsvaries
edrEndpoint detection alertsvaries
ndrNetwork detection alertsvaries
manualManually created by analystsad-hoc

Detection Engine Alerts

  • Title format: [Detection] Rule Name → Target IP/Host
  • Includes: severity, MITRE tactic/technique, matched query, occurrence count
  • Deduplication: Same rule+target merged within 24 hours (occurrence count incremented, last_seen updated)
  • AI Assessment: Automatically analyzed by Dual AI Agents on creation
  • Auto-Incident: Critical/high severity alerts auto-create incidents

Alert Table

Columns

  • Timestamp: Relative time (“just now”, “5m ago”, “2h ago”) with absolute time on hover
  • Title: Alert name from detection rule or source
  • Severity: CRITICAL, HIGH, MEDIUM, LOW, INFO (color-coded badges)
  • Status: open, investigating, escalated, resolved, false_positive
  • Source: detection-engine, siem, edr, ndr, manual
  • MITRE Tactic: Associated ATT&CK tactic

Sorting

  • Default: detected_at DESC (newest first)
  • Options: Severity, Date, Status

Filtering

  • Full-text search across all alert fields
  • Severity filter (click severity badges)
  • Status filter
  • Time range selector (24h, 7d, 30d)
  • Click-to-filter: click any cell value to add as filter

Detail Panel (7 Tabs)

When an alert is selected, the right panel shows detailed information:

TabContent
KYRA (default)AI Security Analyst chat + quick actions (Investigation, Threat, Compliance, Operations)
OverviewSeverity, status, CVSS, CVE, confidence, tactic, host, source, description
DetectionsRule info, MITRE techniques/tactics, detection sources
TimelineEvent timeline (first seen, created, assigned, updated, last seen)
EvidenceSource, process, user, affected host, MITRE ATT&CK mapping, searchable
Raw DataFull JSON dump of the alert object
ActionsStatus management, assignment, incident escalation, suppression

AI Analysis Section

  • Dual Agent Display: Global Threat Intel + Internal SOC perspectives
  • Classification (CRITICAL/HIGH/MEDIUM/LOW/FALSE_POSITIVE) with confidence %
  • Click “Upgrade to Dual AI Analysis” for enhanced assessment

Auto-Select

The first alert is automatically selected when the page loads.

Alert Lifecycle

Detection Match → Alert Created → AI Assessment → Analyst Triage → Resolution
                       ↓                                ↓
                 (high/critical)                   Escalate to Incident
                       
                 Auto-Incident Created

Status Transitions

  • open → investigating → resolved
  • open → investigating → escalated → resolved
  • open → false_positive
  • Any status → suppressed (temporary)

Bulk Actions

Select multiple alerts using checkboxes:

  • Bulk Assign: Assign all selected alerts to an analyst
  • Bulk Change Status: Set status for all selected alerts
  • Bulk Suppress: Suppress selected alerts for a duration
  • Bulk Delete: Remove selected alerts (confirmation required)

Export

Export current page results via the Export dropdown:

  • CSV: Spreadsheet format
  • JSON: Structured data format

Server-side export supports up to 50,000 rows via /api/v1/export/alerts.

Access Requirements

Detections is available on all tiers including Detect (Free).