Alert triage

TheHive’s automated triage optimizes alert management by integrating detection tools using custom JavaScript Functions. These Functions create alerts directly, eliminating middleware.
Predefined triggers run automated analyzers on observables like IPs and file hashes, delivering real-time threat reports.

A large organization is overwhelmed by a surge of security alerts from various detection tools. Given the sensitivity of their data, there’s concern that this could be part of a targeted attack by a ransomware group known for crippling the systems it targets. To manage this situation, the cybersecurity team leverages TheHive’s automated triage capabilities.

1. Functions integration: The organization integrates multiple external detection tools directly into TheHive using custom Functions. These Functions are small pieces of JavaScript code that receive inputs from detection sources, process the data, and interact with TheHive’s APIs. For example, when an Intrusion Detection System (IDS) flags a suspicious activity resembling known patterns, the Function processes this information and automatically creates a corresponding alert in TheHive without needing additional middleware like a Python script.
2. Notification triggers: As soon as an alert is created in TheHive, a predefined Notification trigger is activated. It then automatically runs analyzers on the alert’s observables—such as IP addresses, file hashes and URLs. The no-code automation ensures that these analyzers start working immediately, without any manual intervention, allowing the team to save critical time.
3. Automated analysis: By the time analysts begin their triage, all observables within the alert have already been analyzed. The automated analyzers have generated short reports on each observable, highlighting any potential threats. Conducting this analysis upfront allows analysts to quickly identify IOCs or other significant data points.
4. Alert triage: With the analyzer reports in hand, analysts can efficiently triage the alerts. They review the summarized findings, focusing on key threat indicators that might warrant further investigation. If the alert shows signs of a significant threat, it can be promoted to a full Case for in-depth analysis and response. If the analysis suggests no threat, the alert can be closed as a false positive.

The automated triage process drastically reduces the time required for analysts to review and prioritize alerts. By the time they interact with the alert, much of the heavy lifting is already done, enabling quicker decision-making and a more focused response to potential security incidents.