Any solutions currently on tracking common SOC metrics in IDR?
- Severity of investigations over time
- Open to close investigations over time
- MTTD - Mean Time to Detect
- MTTI - Mean Time to Investigation
- MTTR - Mean Time to Respond
- Escalations over time
There is the Security Operations Activity tab from the IDR Home screen but I don’t think we have anything that goes in as deep as what you’re looking for.
You could ofcourse use the API to get some data about the investigations which includes fields like the Status of the investigation (open|closed), creation time, last accessed time, etc etc. Then from there you could use that data to populate some of the things you’re looking for.
Good question, just wondering if someone tried this through the logsearch / dashboard?