Automation Escalation Cases SOC #8989

ferburri · 2022-10-25T13:23:57Z

ferburri
Oct 25, 2022

Hello Security Onion community 🤗,

I'm new in Security Onion and I have developed a laboratory (Google Cloud) where I have installed an "Evaluation" production of Security Onion. Moreover, I have created 3 different client virtual machines in order to sniff the traffic into the sensor.

I have tested the functionalities of the application, and I would like to know whether it is possible to create a case for each client which shows the alerts for each one. This is beacuse, when you have an organisation with 100 client machines working, it is difficult to filter the alerts in just one page (alerts panel).

I recreate the following scenario 👌:

Imagine that you have a WebServer and a NAS Station, my goal is to have two cases (one for each machine) where it is stored the alerts for each one and it is constantly updating the information of the case (store more alerts that are arriving to SOC).

I do not know if there is a possibility to have an independently alert page for each machine or if it is possible to create dynamic cases(without user supervision). If you have any doubt, feel free to contact me or request more information about this idea.

Answered by dougburks

Oct 26, 2022

when you have an organisation with 100 client machines working, it is difficult to filter the alerts in just one page (alerts panel).

We've designed Alerts to support organizations with much more than 100 client machines.

The Alerts page allows you to view alerts in a few different ways:

you can click the query dropdown box and choose different ways to group the alerts (or ungrouped) as shown at https://docs.securityonion.net/en/2.3/alerts.html#query-bar
you can add your own custom queries to this dropdown box as shown at https://docs.securityonion.net/en/2.3/soc-customization.html#custom-queries
you can filter to include or exclude a specific IP address as shown at https://docs.securi…

View full answer

dougburks · 2022-10-26T19:59:44Z

dougburks
Oct 26, 2022
Maintainer

when you have an organisation with 100 client machines working, it is difficult to filter the alerts in just one page (alerts panel).

We've designed Alerts to support organizations with much more than 100 client machines.

The Alerts page allows you to view alerts in a few different ways:

you can click the query dropdown box and choose different ways to group the alerts (or ungrouped) as shown at https://docs.securityonion.net/en/2.3/alerts.html#query-bar
you can add your own custom queries to this dropdown box as shown at https://docs.securityonion.net/en/2.3/soc-customization.html#custom-queries
you can filter to include or exclude a specific IP address as shown at https://docs.securityonion.net/en/2.3/alerts.html#context-menu
for even more control, you can enable advanced interface features as shown at https://docs.securityonion.net/en/2.3/alerts.html#toggles

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Automation Escalation Cases SOC #8989

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Automation Escalation Cases SOC #8989

Uh oh!

ferburri Oct 25, 2022

Replies: 1 comment

Uh oh!

Uh oh!

dougburks Oct 26, 2022 Maintainer

ferburri
Oct 25, 2022

dougburks
Oct 26, 2022
Maintainer