Deep dive into four advanced SOAR reports

Supported in:

Google secops Soar

This document focuses on the following four reports:

Performance analysis – handling times
Performance analysis – analysts workload
Security posture and sensors performance
Playbook Analysis

For more information about Advanced SOAR reports, see Using Advanced SOAR reports.

Performance analysis – handling times

Description	Example
MTTD – Mean Time To Detect The mean time from the creation of the case until the case is assigned to a user. Format: days-hours-minutes-seconds. The widget displays '0' if the case is not assigned.
MTTR – Mean Time To Remediate The mean time from the creation of the case until the case is moved to the remediation stage. Format: days-hours-minutes-seconds. The widget displays 'N/A' if there is no remediation stage.
Avg. Handling Time per SOC Role Displays the average amount of time a SOC role spent on a case from the moment the case is assigned to this role until the case is closed or assigned to another SOC role.
Avg. Handling Time per Stage Displays the average amount of time spent on a stage from the moment the stage starts until the case is closed or another stage begins.
Mean time to Triage Displays the average handling time per stage for the Triage stage per date for the different rules.
Avg. Handling Time Triage Stage Displays the average handling time of the Triage stage per date.
Avg. Handling Time per SOC Role per Date Displays the average handling time per SOC role per date.

Performance analysis – analysts workload

Alert Distribution across Rules: Displays the distribution and percentage of alerts per rule type.

Event Distribution across Rules: Displays the percentage of events per rule type.

Open vs. Closed Cases: Displays the distribution of the number of open and closed cases.

Cases vs. Alerts: Displays the distribution of the number of cases and alerts.

False positives vs. Handling time: A dual axis graph displays the false positive rate on the left side axis versus the average handling time on the right axis.
The false positive rate is the percentage of non-malicious cases out of all cases.
The average handling time is the time from case creation to case closure.
The graph displays information regarding closed cases only.

Security posture and sensors performance

% of Alerts per Rule: Displays the distribution and percentage of alerts per rule type.

Number of Alerts per Rule per Date: Displays the number of alerts per rule type per date.

% of Alerts per Product: Displays the distribution and percentage of alerts per product.

Number of Alerts per Product per Date: Displays the number of alerts per product per date.

False Positive Rate Vs Product: Displays the false positive rate per product type.
The false positive rate is the percentage of non-malicious cases out of all cases.
The graph displays information regarding closed cases only.

Playbook analysis

Top 10 Automated Alerts: Displays the top 10 rules with the highest percentage of automated alerts.
An automated alert is an alert that has an automatically attached playbook.

Top 10 Alerts closed by automation: Displays the top 10 rules with the highest percentage of alerts that were automatically closed by a playbook.
The graph displays information regarding closed cases only.

False positives vs Handling time for non automated Alerts: For alerts which don't have an automatically attached playbook, the widget has a dual axis graph that displays the false positive rate on the left side axis versus the average handling time on the right axis.
The graph displays information regarding closed cases only.
The graph is empty in case there are no alerts without a playbook.

Need more help? Get answers from Community members and Google SecOps professionals.