![]() ![]() | summarize 5th_Percentile=max_of(percentile(TimeToTriage, 5),0),50th_Percentile=percentile(TimeToTriage, 50),ĩ0th_Percentile=percentile(TimeToTriage, 90),99th_Percentile=percentile(TimeToTriage, 99) | extend TimeToTriage = (FirstModifiedTime - CreatedTime)/1h Triage time by percentile: SecurityIncident | summarize 5th_Percentile=percentile(TimeToClosure, 5),50th_Percentile=percentile(TimeToClosure, 50),ĩ0th_Percentile=percentile(TimeToClosure, 90),99th_Percentile=percentile(TimeToClosure, 99) ![]() | extend TimeToClosure = (ClosedTime - CreatedTime)/1h | summarize arg_max(TimeGenerated,*) by IncidentNumber | where Severity in ('High','Medium','Low', 'Informational')Ĭlosure time by percentile: SecurityIncident | where Status in ('New', 'Active', 'Closed') | where LastModifiedTime between (startTime. | summarize arg_max(TimeGenerated, *) by IncidentNumber Incident state - all incidents by status and severity in a given time frame: let startTime = ago(14d) | summarize arg_max(LastModifiedTime, *) by IncidentNumber This allows you to track the changes made to incidents, and allows for even more powerful SOC metrics, but you need to be mindful of this when constructing queries for this table as you may need to remove duplicate entries for an incident (dependent on the exact query you are running).įor example, if you wanted to return a list of all incidents sorted by their incident number but only wanted to return the most recent log per incident, you could do this using the KQL summarize operator with the arg_max() aggregation function: SecurityIncident You can query it like any other table in Log Analytics.Įvery time you create or update an incident, a new log entry will be added to the table. You'll find it with the other tables in the SecurityInsights collection under Logs. The SecurityIncident table is built into Microsoft Sentinel. You can also write and use your own KQL queries against the incident table to create customized workbooks that fit your specific auditing needs and KPIs. You'll be able to visualize your team's performance over time and use this insight to improve efficiency. Microsoft Sentinel now makes this data available to you with the new SecurityIncident table and schema in Log Analytics and the accompanying Security operations efficiency workbook. You'll want to see incident operations over time by many different criteria, like severity, MITRE tactics, mean time to triage, mean time to resolve, and more. For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.Īs a Security Operations Center (SOC) manager, you need to have overall efficiency metrics and measures at your fingertips to gauge the performance of your team. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |