I was wondering if anyone has any ideas for how to use cases within Elastic security for gathering/reporting metrics?
I'm looking for collecting metrics like, mean time to detection, mean time to mitigation, mean time to remediation, number of impacted entities, number of related events, etc.
I don't see that as being something natively supported currently within the case system, so I wanted to see how others are collecting these types of metrics for reporting purposes.
I have the idea of creating a new index, where each incident is a document will all of the fields needed for collecting these metrics, but I have two concerns with this method.
- It requires additional work; I've gotta create the case and all, but then need to go back and collect the metrics.
- This method doesn't really have a UX friendly method for adding documents, therefore requiring additional education for users who use the system on how to use some parts of the Elastic API, that normally they'd never really need to use.