Deep dive into four Advanced SOAR Reports

Supported in:

This document focuses on the following four reports:

Performance Analysis – Handling times

Performance Analysis – Analysts Workload

Security Posture and Sensors Performance

Playbook Analysis

For more information about Advanced SOAR reports, see Using Advanced SOAR reports.

Performance Analysis – Handling times

Description Example

MTTD – Mean Time To Detect
The mean time from the creation of the case until the case is assigned to a user. Format: days-hours-minutes-seconds.
The widget displays '0' if the case is not assigned.

MTTR – Mean Time To Remediate
The mean time from the creation of the case until the case is moved to the remediation stage. Format: days-hours-minutes-seconds. The widget displays 'N/A' if there is no remediation stage.

deepdive2

Avg. Handling Time per SOC Role
Displays the average amount of time a SOC role spent on a case from the moment the case is assigned to this role until the case is closed or assigned to another SOC role.

deepdive3

Avg. Handling Time per Stage
Displays the average amount of time spent on a stage from the moment the stage starts until the case is closed or another stage begins.

deepdive4

Mean time to Triage
Displays the average handling time per stage for the Triage stage per date for the different rules.

deepdive5
Avg. Handling Time Triage Stage
Displays the average handling time of the Triage stage per date.

deepdive6
 

Avg. Handling Time per SOC Role per Date
Displays the average handling time per SOC role per date.


Performance Analysis – Analysts Workload

Alert Distribution across Rules
Displays the distribution and percentage of alerts per rule type.

Event Distribution across Rules
Displays the percentage of events per rule type.

Open Vs Closed Cases
Displays the distribution of the number of open and closed cases.

Cases vs Alerts
Displays the distribution of the number of cases and alerts.

False positives vs. Handling time
A dual axis graph displays the false positive rate on the left side axis vs. the average handling time on the right axis.
The false positive rate is the percentage of non-malicious cases out of all cases.
The average handling time is the time from case creation to case closure.
The graph displays information regarding closed cases only.

Security Posture and Sensors Performance

% of Alerts per Rule
Displays the distribution and percentage of alerts per rule type.

Number of Alerts per Rule per Date
Displays the number of alerts per rule type per date.

% of Alerts per Product
Displays the distribution and percentage of alerts per product.

Number of Alerts per Product per Date
Displays the number of alerts per product per date.

False Positive Rate Vs Product
Displays the false positive rate per product type.
The false positive rate is the percentage of non-malicious cases out of all cases.
The graph displays information regarding closed cases only.

Playbook Analysis

Top 10 Automated Alerts
Displays the top 10 rules with the highest percentage of automated alerts.
An automated alert is an alert that has an automatically attached playbook.

Top 10 Alerts closed by automation
Displays the top 10 rules with the highest percentage of alerts that were automatically closed by a playbook.
The graph displays information regarding closed cases only.

False positives vs Handling time for non automated Alerts
For alerts which do not have an automatically attached playbook, the widget has a dual axis graph that displays the false positive rate on the left side axis vs. the average handling time on the right axis.
The graph displays information regarding closed cases only.
The graph is empty in case there are no alerts without a playbook.

Need more help? Get answers from Community members and Google SecOps professionals.