Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard for Enterprise Security team from Misson control

vishenps
Path Finder
‎01-29-2024 09:01 AM

#mission_control, # splunk cloud
Hi 
In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control. 
USE CASE: 
The enterprise security manger wants a DASHBOARD which will inform him about : 
if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.  

For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month. 

Field we have :
| mcincidents   add_response_stats=true
| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...