https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-Enterprise-Security-team-from-Misson-control/m-p/675795#M55333 <P>#mission_control, # splunk cloud<BR />Hi&nbsp;<BR />In my org primarily Mission Control events are investigated by <STRONG>SOC</STRONG> as soon as they pop up, if futher investigation is needed the incident is escalated to <STRONG>Enterprise security TEAM&nbsp;</STRONG>who is responsible to perform deeper/detailed investigation and update back in Mission Control.&nbsp;<BR />USE CASE:&nbsp;<BR />The enterprise security manger wants a DASHBOARD which will inform him about :&nbsp;<BR />if the investigation is being performed by his team (ES)&gt; how much average time his team member takes to resolve an incident &gt; averaged over a month. &nbsp;<BR /><BR />For ES team I have lookup file or also I can type there name(Only 7-8 people) &gt; I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time &amp; create_time , averaged out over month.&nbsp;<BR /><BR />Field we have :<BR /><EM>| mcincidents &nbsp; add_response_stats=true</EM><BR /><EM>| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")</EM><BR /><EM>| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")</EM><BR /><EM>| table<STRONG> assigne, create_time, update_time,</STRONG> description, disposition, id, incident_type, name, sensitivity, source_type, summary</EM></P> Mon, 29 Jan 2024 17:01:46 GMT vishenps 2024-01-29T17:01:46Z https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-Enterprise-Security-team-from-Misson-control/m-p/675795#M55333 <P>#mission_control, # splunk cloud<BR />Hi&nbsp;<BR />In my org primarily Mission Control events are investigated by <STRONG>SOC</STRONG> as soon as they pop up, if futher investigation is needed the incident is escalated to <STRONG>Enterprise security TEAM&nbsp;</STRONG>who is responsible to perform deeper/detailed investigation and update back in Mission Control.&nbsp;<BR />USE CASE:&nbsp;<BR />The enterprise security manger wants a DASHBOARD which will inform him about :&nbsp;<BR />if the investigation is being performed by his team (ES)&gt; how much average time his team member takes to resolve an incident &gt; averaged over a month. &nbsp;<BR /><BR />For ES team I have lookup file or also I can type there name(Only 7-8 people) &gt; I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time &amp; create_time , averaged out over month.&nbsp;<BR /><BR />Field we have :<BR /><EM>| mcincidents &nbsp; add_response_stats=true</EM><BR /><EM>| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")</EM><BR /><EM>| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")</EM><BR /><EM>| table<STRONG> assigne, create_time, update_time,</STRONG> description, disposition, id, incident_type, name, sensitivity, source_type, summary</EM></P> Mon, 29 Jan 2024 17:01:46 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Dashboard-for-Enterprise-Security-team-from-Misson-control/m-p/675795#M55333 vishenps 2024-01-29T17:01:46Z