About Alerts

This topic explains alerts, their components, and how they're created in TheHive.

Definition

An alert is a security event generated by detection tools such as SIEM, IDS, EDR, firewalls, or threat intelligence platforms like MISP. It serves as an early warning that helps analysts identify, investigate, and respond to potential threats.

Alerts are reviewed, triaged, and transformed into cases for deeper investigation.

Sources

Manual alert creation not possible

You can't manually create an alert in TheHive. Alerts must be generated by external tools connected to TheHive.

An alert can be created from the following sources:

• Detection tools, such as SIEM, IDS, EDR, and firewalls, that push data to TheHive

• 5.5 External systems from which TheHive retrieves data using alert feeders

• Threat intelligence platforms like MISP connected to TheHive

• Email servers from which TheHive retrieves data.

Key components

In TheHive, an alert includes the following elements:

• Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.

• TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.

Closing alerts

Required permissions

Only users with the manageAlert/update permission can close alerts in TheHive.

Alerts can be closed when they are not worth escalating into a new case or an existing case for further investigation. This may happen, for example, if the alert is a false positive or a duplicate.

Custom fields completion

Alerts can't be closed if any required custom fields are left empty. Users can add or update values in custom fields during the closing process. However, they can't remove custom fields themselves.

Statistics

Predefined statistics in dashboards are available from the alerts list. For custom statistics and dashboards, refer to the About Dashboards topic.

Next steps

• Find an Alert
• New Case from Selection
• Merge Alerts
• Close an Alert