About Alerts

This topic explains alerts, their components, and how they're created in TheHive.

Definition

An alert is a security event generated by detection tools such as SIEM, IDS, EDR, firewalls, or threat intelligence platforms like MISP. It serves as an early warning that helps analysts identify, investigate, and respond to potential threats.

Alerts are reviewed, triaged, and transformed into cases for deeper investigation.

Sources

Manual alert creation not possible

You can't manually create an alert in TheHive. Alerts must be generated by external tools connected to TheHive.

An alert can be created from the following sources:

• Detection tools such as SIEM, IDS, EDR, or firewalls connected to TheHive

• Threat intelligence platforms like MISP connected to TheHive

• Email servers connected to TheHive

Key components

In TheHive, an alert includes the following elements:

• Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.

• TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.

Next steps

• Find an Alert
• New Case from Selection
• Merge Alerts