Create incident timers and SLAs - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

You can set up incident timers and SLAs to track KPIs and ensure that operational performance is inline with your objectives. By adding timer and SLA fields to the Incidents table, you can see track the progress of your incident SLAs.

To help you to monitor and assess your key performance indicators (KPIs), you can create SLAs at the incident level. Incident SLAs provide the ability to track KPIs, obtain real-time insights into operational performance, and ensure alignment with established objectives.

Incident SLAs are based on incident timer fields. When an incident matches the defined criteria, the timer starts running. If the timer field is linked to an SLA, Cortex XSIAM tracks the progress of the incident in relation to the SLA.

To track your SLAs on the Incidents page, add the timer and SLA fields to the table layout, or create a custom layout with SLA fields. Note that the timer field counts forward, and the SLA field counts backwards.

Danger

Before you can create an incident SLA, you must first create a timer field. A timer field can be associated with a single incident SLA.

Take the following steps to create an incident timer field:

  1. Go to SettingsConfigurationsObject SetupIncidents and open the Fields tab.

  2. Click New Field.

  3. Under Field Type, select Timer.

  4. Type a field name.

  5. Under Tooltip, enter a description to pop-up when you hover over the field.

  6. Under Incidents Filter, click Set Filter and define the subset of incidents for which the timer will be activated. For example, you can define timers for specific domains or incident source types.

    Note

    If you edit this filter after creation, the timer and associated SLA will be removed from any incident that no longer qualifies, even if the timer is already running.

  7. Under Conditions, add filters that define when the timer will start and end. To add a pause condition to the timer, click Pause and define the pause criteria.

  8. Under When incident is reopened, select the action that you want Cortex XSIAM to take.

  9. Click Save.

Example 27. 

The following timer measures the amount of time a security incident is waiting in New status before an analyst starts investigating.

Field

Value

Field Type

Timer

Field Name

Security incident response

Tooltip

Measure time from incident opening to analyst response.

Incidents Filter

Incident Domain = Security

Start when

Status = New

End when

Status = Under Investigation

When incident is reopened

Reset timer


Take the following steps to create an incident SLA. You can set up multiple goals for an SLA.

  1. Go to SettingsConfigurationsObject SetupIncidents and open the Fields tab.

  2. Click New Field.

  3. Under Field Type, select SLA.

  4. Type a name to identify the SLA.

  5. Under Tooltip, enter a description to pop-up when you hover over the field.

  6. Under Timer, select the timer field with which to associate the SLA.

  7. Under Goals, click Add SLA Goal.

    The default goal applies to all incidents that meet the filter criteria specified in the timer field. You can set up addition goals that apply to subsets of the defined incidents.

  8. In the SLA goal, type a goal name and set filter criteria.

  9. In the Days, Hours, or Minutes fields, define the time conditions for to the SLA goal.

  10. Arrange the SLA goals by dragging them in order of goal priority.

  11. Click Save.

Example 28. 

The following SLA field sets goals for analyst response times for security incidents with Critical and High severity. This SLA is based on the timer field created in the previous example. Because the timer field is set up with the filter Incident Domain = Security, this SLA will apply to security incidents only.

The first SLA goal applies to security incidents with a severity level of Critical. The SLA specifies that an analyst must respond to critical severity incidents within one hour.

The second SLA goal applies to security incidents with a severity level of High. The SLA specifies that an analyst must respond to high severity incidents within two hours.

Field

Value

Field Type

SLA

Field Name

Security incident response SLA

Tooltip

Measure time from incident opening to analyst response.

Timer

Security incident response

Goals

  • Name: Critical severity incidents

  • Minutes: 60

  • Filter: severity = Critical

  • Name: High severity incidents

  • Minutes: 120

  • Filter: severity = High


After creating new timer and SLA fields, you can add them to the Incidents table layout and view them in the Incidents detailed view:

  • In the Incidents table view, add the timer and SLA fields to the Layout tab in the Table Setting Menu.

  • In the Incidents detailed view, use the Sort By field to filter the incident list by the SLA field. Details of the SLA are shown in the list.

    In addition, you can create a custom incident layout with a new tab displaying SLA fields. For more information, see Incident layouts.

Example 29. 

This example is based on the fields created in the previous procedures:

  • The Security incident response timer field displays the number of minutes since incident creation. When the incident status moves from New to Under Investigation, the timer stops.

  • The Security incident response SLA field starts counting backwards to show the remaining time to meet the SLA. If the field is shown in red with a minus time, the SLA is breached.

    • For incident 001, the critical severity incident has been in New status for 5 minutes. An analyst must respond within the remaining 55 minutes.

    • For incident 002, the high severity incident has been in New status for 20 minutes. An analyst must respond within the remaining 1 hour and 40 minutes.

    • For incident 003, an analyst did not respond within 60 minutes and therefore the SLA was breached. The Security incident response SLA field displays a minus value and a red icon.

Incident ID

Severity

Security incident response

Security incident response SLA

001

Critical

5m

55m 25s SLA_timer.png

002

High

20m

1h 40m 30s SLA_timer.png

003

Critical

65m

- 5m 23s SLA_breach.png


Consider the following information when working with timer and SLA fields:

  • When an incident is resolved, the timer calculation stops.

  • Updating timer logic affects open and new incidents. Therefore, the timer and associated SLA will be removed from any incident that no longer qualifies, even if the timer is already running.

  • If you delete a timer field, the SLA associated to the timer is also deleted.