The ES App currently configured to run few correlation searches and when the notable events are created those events can be assigned to an owner(Analyst 1) under the incident review dashboard for further investigation at this point the incident is changed from "new" to "in progress". lets say the Analyst 1 is unable to resolve and close the incident . how can I assign the same incident to a different owner ( Analyst 2) to perform second level investigation by capturing every thing the first level analyst did so far .
Secondly, is there a way to find out metrics about how long the first level analyst took to resolve or re-assign the notable event to a 2nd level support and also to find how long it took to resolve and close the notable events by both the 1st/2nd and 3rd level security analysts?
Splunk ES 4.x allows you to create an Investigation and add analysts to it.
The investigation allows for searches, comments, etc to be added to a timeline. It's not perfect, but it might suit what you are trying to do?
I am also looking for a Incident Review feature which allows us to calculate the time took by the Analyst 1 and Analyst 2 for resolvind the ticket in Incident Review
I broke out your two questions and handled them separately:
How can I assign the same incident to a different owner ( Analyst 2) to perform second level investigation by capturing every thing the first level analyst did so far .
You can re-assign the case in Incident Review (though I'm sure you already know that). The notes from the previous Analyst are not included in the new status but the previous history of the incident still exists. You can see the history of the incident by viewing it on the Incident Review page, showing the details, and clicking "View all review activity for this Notable Event".
Secondly, is there a way to find out metrics about how long the first level analyst took to resolve or re-assign the notable event to a 2nd level support and also to find how long it took to resolve and close the notable events by both the 1st/2nd and 3rd level security analysts?
Viewing all activity of a notable event will give you an idea of the lifecycle of the incident. That said, while it does display the history of the events, it doesn't currently display the amount of time it was in that state. Feel free to open an enhancement request if you want that, it probably wouldn't be too hard to implement.
Have you created any dashboards around this?
I'm looking to create a dashboard showing dwell time for each notable event. So for instance, how long until someone responds, how long until someone closes the event, etc.
Related to that, I'm also looking around in ES to see how to create a dashboard of newly open events, events still open, and events closed.
I'm basically trying to create a notable event management dashboard.
I am looking to do the same! let me know if you figure anything out and i will do the same. 😃
Thanks for the details Luke
Good methods for the splunk ES app incident management for notable events.