Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Dashboard for Enterprise Security team from Misson control

vishenps
Path Finder
‎01-29-2024 09:01 AM

#mission_control, # splunk cloud
Hi 
In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control. 
USE CASE: 
The enterprise security manger wants a DASHBOARD which will inform him about : 
if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.  

For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month. 

Field we have :
| mcincidents   add_response_stats=true
| eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p")
| table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...