Alerts to The Hive Workflow Questions

[jhildreth]

I've been working on determining what the workflow for my team would be in SO2. I've really like what I've seen in The Hive, particularly some of the opportunities to leverage automation.

I had been working with the system in the beta versions, where alerts went directly into The Hive. I've also been experimenting with Alerts, and I've watched the demos at the conference and in the SO2 Essentials training. I really appreciate the thought and work that went into Alerts, but there are a few questions I have around capabilities that I wonder if I'm missing how to do, or if they might be on the roadmap.

• When escalating an alert from Alerts to The Hive, is it possible to specify the case template you would like to use? The ability to setup playbooks of sorts with the tasks in different case templates in The Hive is really useful.

• Is there any way for Alerts to pass observables into the cases it's creating in The Hive? Having things like the source and destination IPs (when applicable) automatically added as observables when creating cases from the alerts in the beta versions was nice.

I understand that I can setup ElastAlert rules to have alerts go straight into The Hive and triage there, like it was in the beta. However, I see the work going into Alerts and it seems like that is really going to be an encouraged workflow going forward, so I want to see if it can be a good match for my team.

Thanks to the SO team for all the work you've put into this excellent product!

[TOoSmOotH]

I know some new features around case templates will be in the next planned release. The Alerts interface is brand new and we really have a blank canvas to work with. Automatically adding observables is also something we are talking about but won't be in that release. So the best bet is to keep submitting feedback and we will look at ways to incorporate what the community is looking for.

[jhildreth]

Sounds great. Thanks!