No alerts in the Hive....

[ColeVan]

Alerts will populate in the SOC's new alert tab but not in Hive. This is a airgaped distributed setup with one manager, two search nodes, and two fwd nodes. After activating all 492 sigma rules I still see no alerts in The Hive. I even downloaded a reverse meterpreter shell and executed malicious commands to populate alerts, still no luck. Any thoughts? This is a 2.3.1 build.

[dougburks]

Hi @ColeVan ,

Yes, this is expected behavior. From https://docs.securityonion.net/en/2.3/release-notes.html#id3:

We have a new Alerts interface for reviewing alerts and acknowledging or escalating them. Escalating creates a new case in TheHive. Please note that TheHive no longer receives alerts directly.

So starting in 2.3 GA, the new workflow is that alerts go to Alerts and then you can selectively choose important alerts to escalate to TheHive to create a case.

For more information, please see https://docs.securityonion.net/en/2.3/hive.html#hive.

[ColeVan]

So if your getting host based alerts in the Alert tab this means that Sigma rules are working as expected.

Also, once you elevate an alert from the Alert tab, shouldn't it count the the alerts in The Hive? It doesn't seem to do so.

Lastly, once you do elevate to hive there is no additional info to pivot to. Is this expected?

[dougburks]

TheHive Alerts should remain at 0 because when you escalate to TheHive, you're not creating an alert, but rather a case. From https://docs.securityonion.net/en/2.3/hive.html#hive:

As you are working in Alerts, Hunt, or Kibana, you may find alerts or logs that are interesting enough to send to TheHive and create a case. Other analysts can collaborate with you as you work to close that case.

Looking at your final screenshot, it looks like you escalated from an aggregated view in Alerts ("count":2). If you were to drill into that aggregated view and escalate one of those two alerts individually, then you should get more details included in the Description.