Setting the SLA

A Service Level Agreement (SLA) represents a commitment by the SOC to perform specific tasks, such as investigation or remediation of specific cases within a specified duration of time.

SLA Types:

• Alert SLA: the maximum committed time for closing an alert. Alert SLA is mainly based on alert attributes (Alert Type, Alert Priority, etc.), but can also be based on other attributes (such as case attributes).

• Case SLA: the maximum committed time for closing a case. Case SLA is mainly based on case attributes (Case Stage, Case Priority, etc.), but can also be based on other attributes (such as alert attributes).

An SLA can be configured for an Alert, a Case, or both.

When configuring an SLA to an alert, the start time of the SLA begins when the alert is created.

When configuring an SLA to a case, the start time of the SLA begins when the case is created. However, when the SLA is configured by Case Stage, the start time begins at the start of the stage.

An SLA can be configured directly through the Settings or it can be configured using a Playbook action in a Playbook or a Playbook Block to run automatically.

If there are multiple SLA rules set for a Case, the SLA that will take first priority is the one that was set by the playbook action. If no playbook action has been set, the Case Stage SLA will be used. If no Case Stage SLA has been set, the Case Priority SLA will be used.

If there are multiple SLA rules that are set for an Alert, the SLA that will take first priority is the one that was set by the playbook action. If no playbook action has been set, the Alert Type SLA will be used. If no Alert Type SLA has been set, the Alert Priority SLA will be used.

To add an SLA:

1. Navigate to Settings > Environments > SLA.
2. Click add on the top right of the screen.
3. Select whether the SLA will be configured by an alert type (either all alerts or specific ones), an alert priority (e.g. informative, low) , a case stage (e.g. triage, investigation), or a case priority (e.g. informative, low).
4. Add the time frames for the SLA Period (the amount of time that can pass before SLA is breached) and the SLA Time to Critical Period (time before SLA enters the critical phase). In the example below, the SLA Period is set to 10 minutes and the SLA Time to Critical Period is set to 6 minutes, which means that the actual Critical Period will last for 4 minutes.

   

5. Click Add.

SLA Status:

In the Cases tab, an SLA that is created for a Case is indicated by an hourglass with the letter "C" next to it. If the SLA was created for an Alert, it will be indicated by an hourglass with the letter "A" next to it. The color of the SLA indicates its status.

A green countdown timer indicates an active Case SLA at the top of the screen of the selected Case.

For cases with multiple alerts, the Alerts icon in the Cases header in the Cases screen will display all of the Alert SLAs in one popover. Each Alert SLA can be clicked on to view the individual alert.

Pause and resume an SLA

To provide flexibility during investigations, SLAs can be paused for extra research time or when waiting on information from external sources. Alert and Case SLAs can be paused or resumed independently; pausing one won't affect the other. All pause and resume events are recorded on the Case Wall.

Pause and resume an Alert SLA

To pause an Alert SLA, do the following:

1. In the Cases page, select the case containing the relevant alert.
2. In the alert tab, click more_vert Alert Options.
3. Select Pause alert SLA.
4. Optional: In the Pause alert SLA dialog that appears, enter a reason for pausing the SLA.
5. Click Pause.

A gray hourglass in the alert tab indicates that the SLA is paused. A tooltip also indicates the paused status. Additionally, the Alerts icon in the case top bar, which displays all Alert SLAs in a popover, will show a gray countdown timer that has stopped ticking for the paused Alert SLA.

To resume the Alert SLA, do the following:

1. Click more_vert Alert Options.
2. Select Resume alert SLA.

The green hourglass in the alert tab indicates that the SLA is running again. The Alerts icon in the case top bar also shows a countdown timer that has resumed ticking for the resumed Alert SLA.

Pause and resume a Case SLA

To pause a Case SLA, do the following:

1. Go to the Cases page and choose the relevant case.
2. In the case top bar, click format_list_bulleted Case Actions.
3. Select Pause Case SLA.
4. Optional: In the Pause Case SLA dialog that appears, enter a reason for pausing the SLA.
5. Click Pause.

The gray Case SLA timer in the case top bar indicates that the SLA is paused. A tooltip also indicates the paused status.

To resume a paused Case SLA, do the following:

1. In the case top bar, click format_list_bulleted Case Actions.
2. Select Resume Case SLA.

The green Case SLA timer, along with its resumed countdown, indicates that it's running again.