Using Looker Explores in SOAR reports
Supported in:
The following Looker Explores are available in the Advanced SOAR Reports tab, each providing specialized data and visualization capabilities that can be used to build advanced reports. For more information on Explores, see Creating and editing Explores:
| Looker Explore | Description |
|---|---|
| Alerts and Entities | Lets you monitor and analyze entities, alerts, cases, and incidents by providing fields such as case count, average handling time, and incident count, with filters for dimensions, such as case priority, stage, and root cause. You can also track case handling efficiency through time-based measures like handling time and SLA status. |
| Analysts Case Load Tracker | Lets you track the workload of analysts over time. It helps you visualize and analyze case loads by tracking the time of day and the day of the week, enabling performance monitoring across different time periods. This Explore facilitates workload tracking for each individual user per day, week, and month. |
| Case History | Lets you track the lifecycle of cases across different phases, such as stage transitions and analyst assignments. This Explore is designed to provide insights into time-based metrics across various phase combinations, enabling detailed analysis of case handling efficiency and process timelines. It offers insights into case durations and stage durations, along with other relevant metrics. The Explore also lets us drill down by case name, priority, status, and environment. |
| Cases | Lets you monitor and analyze cases end-to-end. Key dimensions to drill down to include case priority, status, stage, and environment, close reason, SLA status, and whether a case is marked as important or merged. It further helps us by tracking the entire case lifecycle, from creation to closure. Measures include case counts, Mean Time to Assignment (MTTA), and Mean Time to Resolution (MTTR). You can also view user and assignee details, including their roles, email, and assignment start dates. |
| Cases and Alerts | Lets you combine case and alert data to analyze how security events are processed into cases. Key dimensions include case priority, stage, and root cause, along with alert-specific details like alert identifier, rule name, and product. You can also filter by playbook actions, incident status, and whether cases are marked as important. Measures include case and alert counts, providing insights into the flow and handling of security incidents. |
| Managed Detection Response | Lets you track case creation, triage, and resolution to measure response efficiency. It includes fields like Triage Time and SLA Met Flag to monitor SLA compliance and optimize case handling. You can also use Case Priority and Close Case Root Cause to prioritize and review case closures, improving response times and effectiveness. |
| Tier Performance | Helps analyze the efficiency of any two SOC Role categories by tracking the number of alerts created, closed, and pending over a specified time period. It includes dimensions such as SOC Role Name and Environment to filter and assess team performance between the two selected tiers, providing insights into workload distribution and alert management. |
| Vw Dashboard Cases | A comprehensive view of case management and performance, allowing you to combine case, alert, entities, stage progression, and analyst assignment details. It offers detailed drill-down options with dimensions including, but not limited to, Case Priority, Case Closed Reason, Case Closed Action Type, First/Last Handling Analyst, Alert Rule Name, Product, and Vendor. Additionally, it offers a wide range of performance tracking KPIs, such as Automatically/Manually Closed Cases, Average Detection Time, Average Handling Time, Case Summary by Priority and SLA Limits, and Average Remediation Time. This Explore also allows in-depth analysis using tag-based dimensions and metrics. |