Alerts shown in active alerts are alerts that have been triggered. As far as the alerting regarding UDT, Currently we are only able to alert based off of an active watchlist... so when a particular MAC/IP becomes active on a device/port the watchlist becomes "active"... however the alert only tells you that a particular watchlist has became active and currently not able to give any statistics as far as device/port it was previously on.. Unsure if it will change on initial release of the product.
David's comments are correct.
From a feature perspective, what you see now if what will be in the 1.0 release. We have a long list of great enhancments that we are looking forward to working on once we get the first version out of the door. Look for an updated "What we are working on" for UDT after release. We have heard a lot of similair feedback to yours regarding wanting to alert / track unauthorized / rogue workstations.