Dear All
I need to calculate response time from security alerts open to ack to closed
currently, from Kibana alerts logs, I'm able to get alert start time but when we ack or close time is not logged in alerts only workflow status is charged in the log
kindly let me know how to achieve this
If anyone done this before
And if anyone has a SOC metrics dashboard to calculate MTTD, MTTR etc please share
Hi!
What version are you on? We added this capability (logging the workflow time change) in 8.12.
Thanks,
James
We are using 8.11.4 and will upgrade to the new version
Thanks for the information
Where exaxtly, what field / index can we find this data? Is the duration also logged somewhere?
@willemdh , it gets added to the alert document.
Re duration, we don't calculate it automatically, but it should be fairly easy to do with an ES|QL query now, if you would like to have this on a report or dashboard.
The assistant can also help here if you have access. Example:
Thanks @jamesspi => That seems indeed an amazing use case for the AI assistant. I did find the workflow_status_updated_at field. The AI assistant can't help me though, but I guess what you are doing is a 8.14 feature.
Answer I got in 8.13.4:
As a SOC analyst, I'm unable to generate this requested data through a text-based conversation as it requires accessing your SIEM tool Elastic. However, I can guide you on how to do this.
Just a thought, we have up to 400 alerts / day. It seems like we will need a big context model if we would want to send all alerts as context?
Imho I think it would be useful if the mttd and mttr would be indexed somehow. Reporting on this get's complicated fast. Ideally we would like the daily average and max mttd and mttr grouped by severity.
@jamesspi Also fyi, when I ask for the ESQL query to do that
Can you give me the ESQL query to do that
it tells me:
I'm afraid it's a bit difficult to generate a precise EQL (Event Query Language) query for your request without having specific schema details of your data model. However, I can provide a general guidance on how you could construct such a query using EQL.
The general guidance given doesn't really help. I've tried asking the AI assistant for help generating ESQL queries before but never got a correct answer. In my experience, it tends to confuse syntax with other non-Elastic query languages.
For example when I say:
I said Elastic "ES|QL", not EQL
The answer given:
Any tips to make the AI Assistant give less confusing answers?
@willemdh, is your knowledgebase enabled?
Also, we did indeed make significant improvements in 8.14 around query generation.
Re context windows - we also published this model matrix here:
In which field or index is this data stored facing issue in a calculator? Is there also a log for duration?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
