SOC operations dashboard

The SOC Operations dashboard is designed to provide insight into the security operations center (SOC) based on key metrics, workflows, and dispositions so that you can monitor the efficiency of the SOC and ensure that all security operations (detections, analysis, and responses) are on track.

Dashboard panels

Key metrics

Panel Description and default search

Mean Time to Triage

Panel	Description and default search
Mean Time to Triage	Displays the average time (in minutes) to triage or prioritize the investigation of a notable over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean time taken to triage the notable compares to the previous mean time taken to triage the notable over the same time period. For example, the trendline may display that the mean time to triage a notable over the last 7 days is 0.5% up or down over the mean time taken to triage the notable during the previous 7 day time period. For more information, see Triage findings in Splunk Enterprise Security. \| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" \| rename "Notable_Events_Meta." as "" \| lookup update=true incident_updates_lookup rule_id OUTPUTNEW time \| search time=* \| stats earliest(_time) as create_time, earliest(time) as triage_time by rule_id \| eval diff=triage_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0) \| stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff \| eval past = round(past_diff/past/60), current = round(current_diff/current/60) \| table past, current \| transpose \| rename "column" as stat_type,"row 1" as mean_triage_time \| fillnull value=0 mean_triage_time
Mean Time to Resolution	Displays the average time (in minutes) taken by the notable to reach its configured end status over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean time taken by the notable to reach its configured end status compares to the previous mean time taken by the notable to reach its configured end status over the same time period. \| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id" \| rename "Notable_Events_Meta." as "" \| eval temp_time=time()+86400 \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUTNEW time, status \| `get_reviewstatuses` \| search time=* AND status_end=true \| stats first(_time) as create_time, last(time) as resolve_time by rule_id \| eval diff=resolve_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0) \| stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff \| eval past = round(past_diff/past/60), current = round(current_diff/current/60) \| table past, current \| transpose \| rename "column" as stat_type,"row 1" as mean_resolution_time \| fillnull value=0 mean_resolution_time
Investigations Created	Displays the number of investigations created in the SOC over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean number of investigations created compares to the previous mean number of investigations created over the same time period. For more information, see Start an investigation in Splunk Enterprise Security. \| `investigations` all=true strict=true \| where create_time > relative_time(now(), "-14d@d") \| stats count(eval(create_time < relative_time(now(), "-7d@d"))) AS past, count(eval(create_time >= relative_time(now(), "-7d@d"))) AS current \| transpose \| rename "column" as count_type, "row 1" as count

Displays the average time (in minutes) to triage or prioritize the investigation of a notable over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean time taken to triage the notable compares to the previous mean time taken to triage the notable over the same time period. For example, the trendline may display that the mean time to triage a notable over the last 7 days is 0.5% up or down over the mean time taken to triage the notable during the previous 7 day time period. For more information, see Triage findings in Splunk Enterprise Security.

| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id"
    | rename "Notable_Events_Meta.*" as "*"
    | lookup update=true incident_updates_lookup rule_id OUTPUTNEW time
    | search time=*
    | stats earliest(_time) as create_time, earliest(time) as triage_time by rule_id
    | eval diff=triage_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0)
    | stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff
    | eval past = round(past_diff/past/60), current = round(current_diff/current/60)
    | table past, current
    | transpose
    | rename "column" as stat_type,"row 1" as mean_triage_time
    | fillnull value=0 mean_triage_time

Mean Time to Resolution

Displays the average time (in minutes) taken by the notable to reach its configured end status over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean time taken by the notable to reach its configured end status compares to the previous mean time taken by the notable to reach its configured end status over the same time period.

| tstats summariesonly=true earliest(_time) as _time FROM datamodel=Incident_Management BY "Notable_Events_Meta.rule_id"
    | rename "Notable_Events_Meta.*" as "*"
    | eval temp_time=time()+86400
    | lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUTNEW time, status
    | `get_reviewstatuses`
    | search time=* AND status_end=true
    | stats first(_time) as create_time, last(time) as resolve_time by rule_id
    | eval diff=resolve_time-create_time, stat_type=if(create_time < relative_time(now(), "-7d@d"), "past", "current"), past=if(stat_type="past", 1, 0), current=if(stat_type="current", 1, 0), past_diff=if(stat_type="past", diff, 0), current_diff=if(stat_type="current", diff, 0)
    | stats sum(past) AS past, sum(current) AS current, sum(past_diff) AS past_diff, sum(current_diff) as current_diff
    | eval past = round(past_diff/past/60), current = round(current_diff/current/60)
    | table past, current
    | transpose
    | rename "column" as stat_type,"row 1" as mean_resolution_time
    | fillnull value=0 mean_resolution_time

Investigations Created

Displays the number of investigations created in the SOC over the duration of a specified time period. Also, displays a trendline (in absolute value) that indicates how the mean number of investigations created compares to the previous mean number of investigations created over the same time period. For more information, see Start an investigation in Splunk Enterprise Security.

| `investigations` all=true strict=true 
| where create_time > relative_time(now(), "-14d@d") 
| stats count(eval(create_time < relative_time(now(), "-7d@d"))) AS past, count(eval(create_time >= relative_time(now(), "-7d@d"))) AS current 
| transpose 
| rename "column" as count_type, "row 1" as count

Workflow

Panel Description and default search

Assigned Notables Over Time

Panel	Description and default search
Assigned Notables Over Time	Displays a comparison graph of assigned versus unassigned notables over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id \| `get_current_status` \| `get_owner` \| timechart span=1d count(eval(owner!="unassigned")) AS "Assigned Notables", count(eval(owner="unassigned")) AS "Unassigned Notables"
Notables in End State by Time	Displays a comparison graph for notables that are assigned versus the notables that have been resolved i.e. reached the configured end state over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id \| `get_current_status` \| `get_owner` \| where owner != "unassigned" \| timechart span=1d count(eval(status_end="true")) AS "In End State", count AS "Total Assigned"
Analyst Close Rate Over Time	Displays a comparison graph for assigned open versus assigned closed notables by an analyst over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id \| `get_current_status` \| `get_owner` \| where owner != "unassigned" \| stats count(eval(status_end = "true")) AS "Notables Closed", count(eval(status_end = "false")) AS "Notables Open" by owner_realname \| rename owner_realname AS "Analyst"

Displays a comparison graph of assigned versus unassigned notables over the duration of a specified time period.

`get_notable_index` 
    | eval `get_event_id_meval`, rule_id=event_id
    | `get_current_status`
    | `get_owner`
    | timechart span=1d count(eval(owner!="unassigned")) AS "Assigned Notables", count(eval(owner="unassigned")) AS "Unassigned Notables"

Notables in End State by Time

Displays a comparison graph for notables that are assigned versus the notables that have been resolved i.e. reached the configured end state over the duration of a specified time period.

`get_notable_index` 
    | eval `get_event_id_meval`, rule_id=event_id
    | `get_current_status`
    | `get_owner`
    | where owner != "unassigned"
    | timechart span=1d count(eval(status_end="true")) AS "In End State", count AS "Total Assigned"

Analyst Close Rate Over Time

Displays a comparison graph for assigned open versus assigned closed notables by an analyst over the duration of a specified time period.

`get_notable_index` 
    | eval `get_event_id_meval`, rule_id=event_id
    | `get_current_status`
    | `get_owner`
    | where owner != "unassigned"
    | stats count(eval(status_end = "true")) AS "Notables Closed", count(eval(status_end = "false")) AS "Notables Open" by owner_realname
    | rename owner_realname AS "Analyst"

Dispositions


Panel	Description and default search
Dispositions Over Time	Displays a distribution of the various dispositions that are assigned to notables over the duration of a specified time period. This visualization provides insight into the number of notables that are false positives versus notables that are true positives. For more information on assigning dispositions to notables, see Add a disposition to a finding or an investigation. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 \| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition \| eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) \| `get_notable_disposition` \| timechart span=1d count by disposition_label
Sources Contributing to False Positive - Incorrect Analytic Logic	Displays a list of sources, which generated notables that have the disposition False Positive - Incorrect Analytic Logic over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 \| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition \| eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) \| `get_notable_disposition` \| where disposition="disposition:3" \| stats count by source \| sort - count
Sources Contributing to False Positive - Inaccurate Data	Displays a list of sources, which generated notables that have the disposition False Positive - Inaccurate Data over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 \| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition \| eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) \| `get_notable_disposition` \| where disposition="disposition:4" \| stats count by source \| sort - count
Sources Contributing to True Positive - Suspicious Activity	Displays a list of sources, which generated notables that have the disposition True Positive - Suspicious over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 \| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition \| eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) \| `get_notable_disposition` \| where disposition="disposition:1" \| stats count by source \| sort - count
Sources Contributing to True Positive - Suspicious but Expected	Displays a list of sources, which generated notables that have the disposition True Positives - Suspicious, but Expected over the duration of a specified time period. `get_notable_index` \| eval `get_event_id_meval`, rule_id=event_id, temp_time=time()+86400 \| lookup update=true correlationsearches_lookup _key as source OUTPUTNEW default_disposition \| lookup update=true event_time_field=temp_time incident_review_lookup rule_id OUTPUT disposition as new_disposition \| eval disposition=if(isnotnull(new_disposition),new_disposition,default_disposition) \| `get_notable_disposition` \| where disposition="disposition:2" \| stats count by source \| sort - count

Note: For key indicator panels and time chart visualizations on the SOC Operations dashboard, some arguments in the underlying SPL searches may be dynamically updated based on the time range selected on the dashboard UI.

Documentation

SOC operations dashboard

Dashboard panels

Key metrics

Workflow

Dispositions