Calculate response time for alerts

abubacker · June 27, 2024, 8:41am

Dear All

I need to calculate response time from security alerts open to ack to closed

currently, from Kibana alerts logs, I'm able to get alert start time but when we ack or close time is not logged in alerts only workflow status is charged in the log

kindly let me know how to achieve this
If anyone done this before

And if anyone has a SOC metrics dashboard to calculate MTTD, MTTR etc please share

jamesspi · June 27, 2024, 1:10pm

Hi!

What version are you on? We added this capability (logging the workflow time change) in 8.12.

Thanks,
James

abubacker · June 28, 2024, 6:27am

We are using 8.11.4 and will upgrade to the new version
Thanks for the information

willemdh · June 28, 2024, 12:27pm

Where exaxtly, what field / index can we find this data? Is the duration also logged somewhere?

jamesspi · June 28, 2024, 2:39pm

@willemdh , it gets added to the alert document.

Re duration, we don't calculate it automatically, but it should be fairly easy to do with an ES|QL query now, if you would like to have this on a report or dashboard.

The assistant can also help here if you have access. Example:

willemdh · June 29, 2024, 9:24am

Thanks @jamesspi => That seems indeed an amazing use case for the AI assistant. I did find the workflow_status_updated_at field. The AI assistant can't help me though, but I guess what you are doing is a 8.14 feature.

Answer I got in 8.13.4:

As a SOC analyst, I'm unable to generate this requested data through a text-based conversation as it requires accessing your SIEM tool Elastic. However, I can guide you on how to do this.

Just a thought, we have up to 400 alerts / day. It seems like we will need a big context model if we would want to send all alerts as context?

Imho I think it would be useful if the mttd and mttr would be indexed somehow. Reporting on this get's complicated fast. Ideally we would like the daily average and max mttd and mttr grouped by severity.

willemdh · June 29, 2024, 9:34am

@jamesspi Also fyi, when I ask for the ESQL query to do that

Can you give me the ESQL query to do that

it tells me:

I'm afraid it's a bit difficult to generate a precise EQL (Event Query Language) query for your request without having specific schema details of your data model. However, I can provide a general guidance on how you could construct such a query using EQL.

The general guidance given doesn't really help. I've tried asking the AI assistant for help generating ESQL queries before but never got a correct answer. In my experience, it tends to confuse syntax with other non-Elastic query languages.

For example when I say:

I said Elastic "ES|QL", not EQL

The answer given:

Any tips to make the AI Assistant give less confusing answers?

jamesspi · July 1, 2024, 1:20pm

@willemdh, is your knowledgebase enabled?

Also, we did indeed make significant improvements in 8.14 around query generation.

jamesspi · July 1, 2024, 1:21pm

Re context windows - we also published this model matrix here:

tareveor23 · July 23, 2024, 8:44am

In which field or index is this data stored facing issue in a calculator? Is there also a log for duration?

system · August 20, 2024, 8:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.