Dashboard for Enterprise Security team from Misson...

vishenps · ‎01-29-2024

#mission_control, # splunk cloud
Hi
In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control.
USE CASE:
The enterprise security manger wants a DASHBOARD which will inform him about :
if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.

For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month.

Field we have :
| mcincidents add_response_stats=true
| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary

Dashboard for Enterprise Security team from Misson control

Dashboard Studio

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!