Alerts¶
Security Onion Console (SOC) gives you access to our Alerts interface. This interface gives you an overview of the alerts that Security Onion is generating and allows you to quickly drill down into details, pivot to Hunt or the PCAP interface, and escalate alerts to Cases.

Options¶
At the top of the page, there is an Options drop-down menu that allows you to set options such as Acknowledged/Escalated, Automatic Refresh Interval, and Time Zone.
Toggles¶
There is a toggle labeled Temporarily enable advanced interface features
.

If you enable this option, then the interface will show more advanced features similar to Dashboards and Hunt. These advanced features are only enabled temporarily so if you navigate away from the page and then return to the page, it will default back to its simplified view.
The Acknowledged
and Escalated
toggles control what alerts are displayed:

- Enabling the
Acknowledged
toggle will only show alerts that have previously been acknowledged by an analyst. - Enabling the
Escalated
toggle will only show alerts that have previously been escalated by an analyst to Cases.
Automatic Refresh Interval¶
Another option is the Automatic Refresh Interval setting:

When enabled, the Alerts page will automatically refresh at the time interval you select.
Time Zone¶
Alerts will try to detect your local time zone via your browser. You can manually specify your time zone if necessary.
Query Bar¶
The query bar defaults to Group By Name, Module
which groups the alerts by rule.name
and event.module
. If you want to send your current Alerts query to Hunt, you can click the crosshair icon to the right of the query bar.

You can click the dropdown box to select other queries which will group by other fields.

Time Picker¶
By default, Alerts searches the last 24 hours. If you want to search a different time frame, you can change it in the upper right corner of the screen.

Data Table¶
The remainder of the page is a data table that starts in the grouped view and can be switched to the detailed view. Both views have some functionality in common:
- Clicking the table headers allows you to sort ascending or descending.
- Clicking the bell icon acknowledges an alert. That alert can then be seen by selecting the
Acknowledged
toggle at the top of the page. In theAcknowledged
view, clicking the bell icon removes the acknowledgement. - Clicking the blue exclamation icon escalates the alert to Cases and allows you to create a new case or add to an existing case. If you need to find that original escalated alert in the Alerts page, you can enable the
Escalated
toggle (which will automatically enable theAcknowledged
toggle as well). - Clicking a value in the table brings up a context menu of actions for that value. This allows you to refine your existing search, start a new search, or even pivot to external sites like Google and VirusTotal.
- You can adjust the
Rows per page
setting in the bottom right and use the left and right arrow icons to page through the table.
Grouped View¶
By default, alerts are grouped by whatever criteria is selected in the query bar. Clicking a field value and then selecting the Drilldown option allows you to drill down into that value which switches to the detailed view. You can also click the value in the Count column to perform a quick drilldown. Note that this quick drilldown feature is only enabled for certain queries.

If you’d like to remove a particular field from the grouped view, you can click the trash icon at the top of the table to the right of the field name.
Detailed View¶
If you click a value in the grouped view and then select the Drilldown option, the display will switch to the detailed view. This shows all search results and allows you to then drill into individual search results as necessary. Clicking the table headers allows you to sort ascending or descending. Starting from the left side of each row, there is an arrow which will expand the result to show all of its fields. To the right of that arrow is the Timestamp
field. Next, a few standard fields are shown: rule.name
, event.severity_label
, source.ip
, source.port
, destination.ip
, and destination.port
. Depending on what kind of data you’re looking at, there may be some additional data-specific fields as well.

When you click the arrow to expand a row in the Events table, it will show all of the individual fields from that event. Field names are shown on the left and field values on the right. When looking at the field names, there is an icon to the left that will add that field to the groupby
section of your query. You can click on values on the right to bring up the context menu to refine your search or pivot to other pages.
