MTTD – Mean Time To Detect The mean time from the creation of the case until the case is assigned to a user. Format: days-hours-minutes-seconds. The widget displays '0' if the case is not assigned.
MTTR – Mean Time To Remediate
The mean time from the creation of the case until the case is moved to the
remediation stage. Format: days-hours-minutes-seconds. The widget displays
'N/A' if there is no remediation stage.
Avg. Handling Time per SOC Role
Displays the average amount of time a SOC role spent on a case from the
moment the case is assigned to this role until the case is closed or
assigned to another SOC role.
Avg. Handling Time per Stage
Displays the average amount of time spent on a stage from the moment the
stage starts until the case is closed or another stage begins.
Mean time to Triage
Displays the average handling time per stage for the Triage stage per date
for the different rules.
Avg. Handling Time Triage Stage
Displays the average handling time of the Triage stage per date.
Avg. Handling Time per SOC Role per Date
Displays the average handling time per SOC role per date.
Alert Distribution across Rules: Displays the
distribution and percentage of alerts per rule type.
Event Distribution across Rules: Displays the percentage
of events per rule type.
Open vs. Closed Cases: Displays the distribution of the
number of open and closed cases.
Cases vs. Alerts: Displays the distribution of the number
of cases and alerts.
False positives vs. Handling time: A dual axis graph
displays the false positive rate on the left side axis versus the average
handling time on the right axis.
The false positive rate is the percentage of non-malicious cases out of all
cases.
The average handling time is the time from case creation to case closure.
The graph displays information regarding closed cases only.
% of Alerts per Rule: Displays the distribution and
percentage of alerts per rule type.
Number of Alerts per Rule per Date: Displays the number of
alerts per rule type per date.
% of Alerts per Product: Displays the distribution and
percentage of alerts per product.
Number of Alerts per Product per Date: Displays the number
of alerts per product per date.
False Positive Rate Vs Product: Displays the false positive
rate per product type. The false positive rate is the percentage of
non-malicious cases out of all cases. The graph displays information
regarding closed cases only.
Top 10 Automated Alerts: Displays the top 10 rules with the
highest percentage of automated alerts. An automated alert is an alert
that has an automatically attached playbook.
Top 10 Alerts closed by automation: Displays the top 10
rules with the highest percentage of alerts that were automatically closed
by a playbook. The graph displays information regarding closed cases
only.
False positives vs Handling time for non automated Alerts:
For alerts which don't have an automatically attached playbook, the
widget has a dual axis graph that displays the false positive rate on the
left side axis versus the average handling time on the right axis. The graph
displays information regarding closed cases only. The graph is empty in
case there are no alerts without a playbook.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis document details four Advanced SOAR reports available in Google SecOps, focusing on key performance indicators and metrics.\u003c/p\u003e\n"],["\u003cp\u003eThe Performance Analysis -- Handling Times report provides insights into case resolution, including Mean Time To Detect (MTTD), Mean Time To Remediate (MTTR), and average handling times per SOC role and stage.\u003c/p\u003e\n"],["\u003cp\u003eThe Performance Analysis -- Analysts Workload report offers a breakdown of alert and event distribution across rules, as well as case volume metrics like Open vs Closed Cases.\u003c/p\u003e\n"],["\u003cp\u003eThe Security Posture and Sensors Performance report illustrates alert distribution by rule and product, while also highlighting false positive rates.\u003c/p\u003e\n"],["\u003cp\u003eThe Playbook Analysis report examines automation effectiveness by showcasing top automated alerts, alerts closed by automation, and handling times for non-automated alerts.\u003c/p\u003e\n"]]],[],null,["# Deep dive into four advanced SOAR reports\n=========================================\n\nSupported in: \nGoogle secops [SOAR](/chronicle/docs/secops/google-secops-soar-toc) \n\nThis document focuses on the following four reports:\n\n- **[Performance analysis -- handling times](#firstanchor)**\n- **[Performance analysis -- analysts workload](#secondanchor)**\n- **[Security posture and sensors performance](#thirdanchor)**\n- **[Playbook Analysis](#fourthanchor)**\n\nFor more information about Advanced SOAR reports, see [Using Advanced SOAR reports](/chronicle/docs/soar/monitor-and-report/soar-reports/using-advanced-reports-looker).\n\n### **Performance analysis -- handling times**\n\n\u003cbr /\u003e\n\nPerformance\nanalysis -- analysts workload\n-----------------------------------------\n\n**Alert Distribution across Rules:** Displays the\ndistribution and percentage of alerts per rule type.\n\n**Event Distribution across Rules:** Displays the percentage\nof events per rule type.\n\n**Open vs. Closed Cases:** Displays the distribution of the\nnumber of open and closed cases.\n\n**Cases vs. Alerts:** Displays the distribution of the number\nof cases and alerts.\n\n**False positives vs. Handling time:** A dual axis graph\ndisplays the false positive rate on the left side axis versus the average\nhandling time on the right axis. \n\nThe false positive rate is the percentage of non-malicious cases out of all\ncases. \n\nThe average handling time is the time from case creation to case closure. \n\nThe graph displays information regarding closed cases only.\n\nSecurity\nposture and sensors performance\n----------------------------------------\n\n\n**% of Alerts per Rule:** Displays the distribution and\npercentage of alerts per rule type.\n\n\n**Number of Alerts per Rule per Date:** Displays the number of\nalerts per rule type per date.\n\n\n**% of Alerts per Product:** Displays the distribution and\npercentage of alerts per product.\n\n\n**Number of Alerts per Product per Date:** Displays the number\nof alerts per product per date.\n\n\n**False Positive Rate Vs Product:** Displays the false positive\nrate per product type. \nThe false positive rate is the percentage of\nnon-malicious cases out of all cases. \nThe graph displays information\nregarding closed cases only.\n\nPlaybook analysis\n-----------------\n\n\n**Top 10 Automated Alerts:** Displays the top 10 rules with the\nhighest percentage of automated alerts. \nAn automated alert is an alert\nthat has an automatically attached playbook.\n\n\n**Top 10 Alerts closed by automation:** Displays the top 10\nrules with the highest percentage of alerts that were automatically closed\nby a playbook. \nThe graph displays information regarding closed cases\nonly.\n\n\n**False positives vs Handling time for non automated Alerts:**\nFor alerts which don't have an automatically attached playbook, the\nwidget has a dual axis graph that displays the false positive rate on the\nleft side axis versus the average handling time on the right axis. \nThe graph\ndisplays information regarding closed cases only. \nThe graph is empty in\ncase there are no alerts without a playbook.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
