About Alerts#
This topic explains alerts, their components, and how they're created in TheHive.
Definition#
An alert is a security event generated by detection tools such as SIEM, IDS, EDR, firewalls, or threat intelligence platforms like MISP. It serves as an early warning that helps analysts identify, investigate, and respond to potential threats.
Alerts are reviewed and triaged, and converted into cases when further investigation is needed.
Sources#
Manual alert creation impossible
TheHive doesn't allow manual alert creation. Alerts must originate from external tools connected to TheHive.
The following sources can create alerts:
-
Detection tools, such as SIEM, IDS, EDR, and firewalls, that push data to TheHive
-
5.5 External systems from which TheHive retrieves data using alert feeders
-
Threat intelligence platforms like MISP connected to TheHive
-
Email servers from which TheHive retrieves data.
Key components#
In TheHive, an alert includes the following elements:
-
Observables: Data points such as IP addresses, file hashes, domains, and email addresses that are relevant to an investigation.
-
TTPs: The methods and strategies used by attackers, based on the MITRE ATT&CK knowledge base.
-
Attachments: Files attached to an alert. Adding an image to an alert’s description or summary automatically saves it in the alert’s Attachments tab. Attachments can also be added manually.
Triage outcomes#
Creating cases from alerts#
Required permissions
Only users with the manageAlert/import
permission can create cases from alerts and add alerts to existing cases in TheHive.
Create cases from alerts when further investigation is needed and no related investigation is already in progress.
This action automatically creates a link between the alert and the case.
Adding alerts to existing cases#
Required permissions
Only users with the manageAlert/import
permission can create cases from alerts and add alerts to existing cases in TheHive.
Alerts can be added to existing cases if they relate to an ongoing investigation.
This action automatically creates a link between the alert and the case.
Closing alerts#
Required permissions
Only users with the manageAlert/update
permission can close alerts in TheHive.
Close alerts when they are not worth escalating into a new case or an existing case for further investigation. This may happen, for example, if the alert is a false positive or a duplicate.
Closed alert can be reopened if needed.
Custom fields completion#
Alerts can't close if any required custom fields remain empty. Users can add or update values in custom fields during the closing process. However, they can't remove custom fields themselves.
Statistics#
Predefined statistics in dashboards are available from the alerts list. For custom statistics and dashboards, refer to the About Dashboards topic.