Hi All,
Has any of you tried to prepare report or dashboard which will show you the amount of false positive alerts. We want to reduce the number the amount of the incoming alerts and focus more on the real threats.
Thanks for your recommendations!
Nadya
Hi Nadya,
It may be possible to use the investigation audit log for this. Decisions/changes to investigations are logged here and you can use this audit data to build dashboards and reports. See screenshot for a vary basic example
Hi Daragh,
Thanks for you advice! Very much appreciated!
Take care.
Nadya
where(“action” = “INVESTIGATION_DISPOSITION_ADDED”) groupby(“service_info.new_disposition”)
Seems to be a good query to use, there you could build a Pie or Bar chart to see the percentage of Benign events compared to the Malicious ones for instance
Thanks! David!
I feel that’s a great suggestion
Is it possible to define MTTR metrics in the dashboard to calculate how much time it took to resolve the Incidents
Not currently, there are audit logs in log search but you can’t perform calculations like this without writing some kind of script to programmatically query the data
