Where Do SOC Analysts Normally Monitor Alerts and Logs in Distributed Deployments?

[abcd123chamara]

I have a few questions about best practices for monitoring and log storage when using Security Onion, especially in a distributed deployment setup:

1. Alert Monitoring:

In a typical SOC workflow, where do analysts usually monitor alerts most of the time?

• Should we monitor all the tabs (Alerts, Dashboards, Kibana, etc.)?
• Is there a recommended or most commonly used view for alert triage?

2. Log Storage in Distributed Setup:

In a distributed deployment (with separate manager and search nodes):

• Where are the logs usually stored?
• How can we find the exact location of the logs (for example, hot or cold storage)?
• Are logs saved on the search node or somewhere else?

Any clarification or suggestions would be really helpful for our team to improve our monitoring process and log management.

Thanks in advance!

[reyesj2]

The alerts tab is going to be for your active rules whether that is suricata / sigma / yara. All configurable via the Detections tab. This is where you'll get an overview of triggered rules and can begin your investigation and potentially escalate to a Case.

If you didn't know Security Onion Solutions has a YouTube channel. Here is a video that will help answer some of your questions on how the workflow might look for you.

For the log storage:

Where are the logs usually stored?

Logs ingested by the Elastic Agent end up in Elasticsearch. Which runs on your manager & searchnodes.

How can we find the exact location of the logs (for example, hot or cold storage)?

If you have tiered storage configured then the latest (hot) data would end up on your searchnodes assigned the 'data_hot' role.
warm => searchnodes with 'data_warm' role
cold => searchnodes with 'data_cold' role
https://docs.securityonion.net/en/2.4/elasticsearch.html#elasticsearch-node-roles