Console
    Start free

    Curated dashboard queries: SOAR cases

    Supported in:

    This document is for Security Operations Center (SOC) managers and analysts who want to monitor threat landscapes and system health using curated dashboards— predefined dashboards designed for visibility across various security use cases. This document provides a collection of curated dashboards and their underlying queries for the SOAR casessource type.

    You can use these queries in the query editor or as a baseline for custom widgets. For information on how to create and manage dashboards, see Manage dashboards .

    Dashboard name Description Chart name Query
    CIS Controls Compliance Overview
    		 Provides a central view of CIS compliance metrics, such as asset accuracy and backup reliability. use these insights to strengthen security governance and track remediation progress. Case Distribution by Priority - Open Cases 
     case.status = "OPENED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 MITRE Tactics by Incident 
     case.incident = true
case.alerts.metadata.tags = /TA[0-9]+/

$Tactic = case.alerts.metadata.tags

match:
    $Tactic

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 Incidents by Case Stage 
     case.incident = true

$Stage = case.stage

match:
    $Stage

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Tags Distribution 
     $Case_Tag = case.tags.name

match:
    $Case_Tag

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Total Environments 
     outcome:
    $Count = count_distinct(case.environment)
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Total Important Cases 
     case.important = true
outcome:
    $Count = count(case.name)
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Incident Statuses Distribution 
     case.incident = true

$Status = case.status

match:
    $Status

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Statuses Distribution 
     $Status = case.status

match:
    $Status

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. High Priority Cases 
     case.priority = "PRIORITY_CRITICAL"
or case.priority = "PRIORITY_HIGH"

$Timestamp_Daily = timestamp.get_date(case.create_time.seconds)
$Priority = case.priority

match:
    $Timestamp_Daily, $Priority

outcome:
    $Count = count(case.name)

order:
    $Timestamp_Daily desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 Incidents by Case Tag 
     case.incident = true

$Case_Tag = case.tags.name

match:
    $Case_Tag

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Distribution by Priority - Closed Cases 
     case.status = "CLOSED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Recent Incident Details 
     case.incident = true

$Case_ID = case.response_platform_info.response_platform_id
$Case_Name = case.display_name
$Case_Creation_Time = timestamp.get_timestamp(case.create_time.seconds, "%F %T ")
$Last_Stage = case.stage
$Case_Status = case.status
$Last_Handled_Analyst = strings.concat(case.last_modifying_user.given_name, " ", case.last_modifying_user.family_name)
$Case_Closed = case.closure_details.reason
$Root_Cause = case.closure_details.root_cause

match:
    $Case_ID, $Case_Name, $Case_Creation_Time, $Last_Stage, $Case_Status, $Last_Handled_Analyst, $Case_Closed, $Root_Cause

order:
    $Case_Creation_Time desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Cases Over Time 
     $Date = timestamp.get_date(case.create_time.seconds)

match:
    $Date

outcome:
    $Count = count(case.name)

order:
    $Date desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Statistics 
     $Timestamp_Month = timestamp.get_timestamp(case.create_time.seconds, "%Y-%m")

match:
    $Timestamp_Month

outcome:
    $Alert_Count = count(case.alerts.metadata.id)
    $Cases_Count = count_distinct(case.name)
    $High_Priority_Case_Count = sum(if(case.priority = "PRIORITY_HIGH" or case.priority = "PRIORITY_CRITICAL", 1, 0))
    $Incident_Count = sum(if(case.incident = true, 1, 0))
    $High_Priority_Incident_Count = sum(if(case.incident = true and (case.priority = "PRIORITY_HIGH" or case.priority = "PRIORITY_CRITICAL"), 1, 0))

order:
    $Timestamp_Month desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Incident Closure Reasons Distribution 
     case.incident = true

$Reason = case.closure_details.reason

match:
    $Reason

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Incident Severities Distribution 
     case.incident = true

$Severity = case.alerts.metadata.detection.severity

match:
    $Severity

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Incidents Over Time 
     case.incident = true

$Date = timestamp.get_date(case.create_time.seconds)

match:
    $Date

outcome:
    $Count = count(case.name)

order:
    $Date desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Incident Priorities Distribution 
     case.incident = true

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 MITRE Techniques by Incident 
     case.incident = true
case.alerts.metadata.tags = /T[0-9]+/

$Technique = case.alerts.metadata.tags

match:
    $Technique

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 Case Tags 
     $Case_Tag = case.tags.name

match:
    $Case_Tag

outcome:
    $Count = count(case.tags.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. List of Environments 
     $Environment = case.environment

match:
    $Environment
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 Incidents by Root Cause 
     case.incident = true

$Root_Cause = case.closure_details.root_cause

match:
    $Root_Cause

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Top 10 Cases Closed 
     case.status = "CLOSED"

$Case = case.display_name

match:
    $Case

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Low Priority Cases 
     case.priority = "PRIORITY_MEDIUM"
or case.priority = "PRIORITY_LOW"
or case.priority = "PRIORITY_INFO"

$Timestamp_Daily = timestamp.get_date(case.create_time.seconds)
$Priority = case.priority

match:
    $Timestamp_Daily, $Priority

outcome:
    $Count = count(case.name)

order:
    $Timestamp_Daily desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Actions Over Time 
     $Date = timestamp.get_date(case.create_time.seconds)
$Stage = case.stage

match:
    $Date, $Stage

outcome:
    $Count = count(case.name)

order:
    $Date desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Distribution by Priority - Open Cases 
     case.status = "OPENED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Total Open Incidents 
     case.incident = true
case.status = "OPENED"

outcome:
    $Count = count(case.name)
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Priorities Distribution 
     $Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Total Closed Incidents 
     case.incident = true
case.status = "CLOSED"

outcome:
    $Count = count(case.name)
    Case & Incident Analytics (SOAR)
    		 Provides a centralized view of case management and incident response, enabling teams to resolve threats faster and continuously improve operational efficiency. Case Closure Reason Distribution 
     $Reason = case.closure_details.reason

match:
    $Reason

outcome:
    $Count = count(case.name)

order:
    $Count desc
    FEDRAMP Continuous Monitoring
    		 Provides visibility into Fedramp compliance metrics and vulnerability tracking. Use these insights to prioritize remediation efforts and ensure a strong security posture. Case Distribution by Priority - Closed Cases 
     case.status = "CLOSED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    FEDRAMP Continuous Monitoring
    		 Provides visibility into Fedramp compliance metrics and vulnerability tracking. Use these insights to prioritize remediation efforts and ensure a strong security posture. Case Distribution by Priority - Open Cases 
     case.status = "OPENED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    HIPAA Dashboard
    		 Provides visibility into PHI access and potential HIPAA violations to support proactive risk management. ensure the ePHI_assets.Hostname data table is created for charts to load. Open Cases Distribution by Priority 
     case.status = "OPENED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count(case.name)

order:
    $Count desc
    ISO27001 - Organizational Controls
    		 Provides real-time tracking of ISO 27001 audit metrics and security controls to identify gaps and maintain compliance. Note: Filters are required to refine results. Top 10 Analysts by Incident Closures 
     case.status = "CLOSED"
case.incident = true

$Analyst = strings.concat(case.assignee.given_name, " ", case.assignee.family_name)

match:
    $Analyst

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    ISO27001 - Organizational Controls
    		 Provides real-time tracking of ISO 27001 audit metrics and security controls to identify gaps and maintain compliance. Note: Filters are required to refine results. Average Case Closure Time by Priority 
     case.status = "CLOSED"

$Case_Closed_Time = if(case.status = "CLOSED", case.update_time.seconds, 0)
$Priority = case.priority

match:
    $Priority

outcome:
    $Case_Create_Time = min(case.create_time.seconds)
    $Case_Close_Time = min($Case_Closed_Time)
    $Closure_Time = math.round((($Case_Close_Time - $Case_Create_Time)/60), 2)

order:
    $Priority desc

unselect:
    $Case_Create_Time, $Case_Close_Time
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Case Closure Time 
     $Case_ID = case.response_platform_info.response_platform_id
$Case_Close_Time_ = if(case.status = "CLOSED", case.update_time.seconds, 0)
$Priority = case.priority

match:
    $Case_ID, $Priority

outcome:
    $Case_Create_Time = min(case.create_time.seconds)
    $Case_Close_Time = min($Case_Close_Time_)
    $Closure_Time = ($Case_Close_Time - $Case_Create_Time)/60

order:
    $Closure_Time desc

unselect:
    $Case_Create_Time, $Case_Close_Time
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Total Incidents Handled Automatically 
     case.closure_details.case_closed_action = "AUTOMATIC"
case.incident = true

outcome:
    $Count = count(case.incident)
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Analyst's Performance 
     case.assignee.email != ""

$User = case.assignee.email

match:
    $User

outcome:
    $Open_Cases_Count = sum(if(case.status="OPENED", 1, 0))
    $Closed_Cases_Count = sum(if(case.status="CLOSED", 1, 0))
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Automatically vs Manually Handled Incidents Over Time 
     case.closure_details.case_closed_action = "MANUALLY"
or case.closure_details.case_closed_action = "AUTOMATIC"

case.incident = true

$Date = timestamp.get_date(case.create_time.seconds)

match:
    $Date, case.closure_details.case_closed_action

outcome:
    $Count = count(case.incident)
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Case Closure Summary 
     case.status = "CLOSED"

$Case_ID = case.response_platform_info.response_platform_id
$Case_Create_Timestamp = timestamp.get_timestamp(case.create_time.seconds, "%F %T ")
$Case_Close_Timestamp = timestamp.get_timestamp(case.update_time.seconds, "%F %T ")
$Case_Close_Time_ = if(case.status = "CLOSED", case.update_time.seconds, 0)

match:
    $Case_ID, $Case_Create_Timestamp, $Case_Close_Timestamp

outcome:
    $Case_Create_Time = min(case.create_time.seconds)
    $Case_Close_Time = min($Case_Close_Time_)
    $Closure_Time = ($Case_Close_Time - $Case_Create_Time)/60

order:
    $Case_ID desc

unselect:
    $Case_Create_Time, $Case_Close_Time
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Total Incidents Handled Manually 
     case.closure_details.case_closed_action = "MANUALLY"
case.incident = true

outcome:
    $Count = count(case.incident)
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Top 10 Analysts by Incident Closure 
     case.status = "CLOSED"
case.incident = true

$Analyst = strings.concat(case.assignee.given_name, " ", case.assignee.family_name)

match:
    $Analyst

outcome:
    $Count = count(case.name)

order:
    $Count desc

limit:
    10
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Top 10 Users by Case 
     case.alerts.entities.type = "USERUNIQNAME"

match:
    case.alerts.entities.type, case.alerts.entities.identifier

outcome:
    $Count = count_distinct(case.alerts.metadata.id)

order:
    $Count desc

limit:
    10
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Average Case Closure Time by Priority 
     case.status = "CLOSED"

$Case_Close_Time_ = if(case.status = "CLOSED", case.update_time.seconds, 0)
$Priority = case.priority

match:
    $Priority

outcome:
    $Case_Create_Time = min(case.create_time.seconds)
    $Case_Close_Time = min($Case_Close_Time_)
    $Closure_Time = ($Case_Close_Time - $Case_Create_Time)/60

order:
    $Priority desc

unselect:
    $Case_Create_Time, $Case_Close_Time
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Case Assignments Over Time 
     case.assignee.email != ""

$User = case.assignee.email
$Date = timestamp.get_date(case.create_time.seconds)

match:
    $User, $Date

outcome:
    $Count = count_distinct(case.response_platform_info.response_platform_id)

order:
    $Count desc
    SOC Workflow Monitoring (SOAR)
    		 Provides centralized tracking of alert detection, incident handling, and case management metrics. Use these insights to optimize resources, improve response efficiency, and maintain adherence to SLAs. Alert Detection Summary 
     $Case_ID = case.response_platform_info.response_platform_id
$Alert = strings.coalesce(case.alerts.metadata.detection.threat_name, case.alerts.metadata.detection.rule_name)
$Alert_Generation_Timestamp = timestamp.get_timestamp(case.alerts.metadata.detection_time.seconds, "%F %T ")
$Alert_Detection_Timestamp = timestamp.get_timestamp(case.alerts.metadata.created_time.seconds, "%F %T ")

match:
    $Case_ID, $Alert, $Alert_Generation_Timestamp, $Alert_Detection_Timestamp

outcome:
    $Alert_Generation_Time = min(case.alerts.metadata.detection_time.seconds)
    $Alert_Detection_Time = min(case.alerts.metadata.created_time.seconds)
    $Detection_Delay = math.abs(($Alert_Detection_Time- $Alert_Generation_Time)/60)

order:
    $Alert_Generation_Time desc

unselect:
    $Alert_Generation_Time, $Alert_Detection_Time
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Open Cases by Age 
     case.status = "OPENED"

match:
case.display_name, case.environment

outcome:
$Age = max(timestamp.current_seconds() - case.create_time.seconds)/86400
$Day_Range = if($Age >= 21, "> 3 Weeks",
if($Age >= 14 and $Age < 21, "2 Weeks",
if($Age >= 7 and $Age < 14, "1 Week",
if($Age <= 2 and $Age > 1, "2 Days",
if($Age < 1, "Same Day")))))

order:
$Age desc
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Cases Last Update more than 7 Days Ago 
     case.status = "OPENED"

match:
    case.environment

outcome:
    $Age = (timestamp.current_seconds() - max(case.update_time.seconds))/86400
    $Day_Range = if($Age >= 21, ">3 Weeks",
                  if($Age >= 14, "2 Weeks",
                  if($Age >= 7, "1 Week")))
    $Count = count_distinct(case.name)

condition:
    $Age >= 7
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Open Case Tags Overview - 7 days 
     case.status = "OPENED"
$Tag = case.tags.name
$Tag !=""

match:
    $Tag

outcome:
    $Count = count(case.response_platform_info.response_platform_id)

order:
    $Count desc
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Analyst Productivity (Closed Cases) - 7 days 
     case.assignee.email != ""

$User = case.assignee.email

match:
    $User

outcome:
    $Closed_Cases_Count = sum(if(case.status="CLOSED", 1, 0))

order:
    $Closed_Cases_Count desc
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Open Cases by Environment - Last 7 Days 
     case.status = "OPENED"

$Date = timestamp.get_date(case.create_time.seconds)

match:
    $Date, case.environment

outcome:
    $count = count_distinct(case.response_platform_info.response_platform_id)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. 
     case.status = "CLOSED"

outcome:
 $Count = count(case.name)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Analyst Workloads 
     case.assignee.email != ""

$User = case.assignee.email
$Date = timestamp.get_date(case.create_time.seconds)

match:
    $User, $Date

outcome:
    $Count = count(case.response_platform_info.response_platform_id)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. 
     case.status = "OPENED"
or case.status = "CLOSED"

outcome:
    $total = count_distinct(case.response_platform_info.response_platform_id)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. % Automated Closure - Last 7 Days 
     case.status = "CLOSED"

outcome:
    $TotalClosedCases = count_distinct(case.name)
    $AutoClosedCases = sum(if(case.closure_details.case_closed_action = "AUTOMATIC", 1, 0))
    $Automation_Rate = if($TotalClosedCases > 0, math.round(($AutoClosedCases / $TotalClosedCases) * 100, 0), 0)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Cases Priority - Last 24 Hours 
     case.status = "OPENED"

$Priority = case.priority

match:
    $Priority

outcome:
    $Count = count_distinct(case.response_platform_info.response_platform_id)

order:
    $Priority desc
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. MTTR by SOC Role - Last 7 Days 
     case.status = "CLOSED"
case.assignee.soc_roles != ""

$SOC_Role = case.assignee.soc_roles
$Date = timestamp.get_date(case.create_time.seconds)

match:
    $SOC_Role, $Date

outcome:
    $MTTR = math.round(avg((case.update_time.seconds - case.create_time.seconds) / 60) ,2)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Open Critical/High Cases - Last 24 Hours 
     case.status = "OPENED"
case.priority = "PRIORITY_CRITICAL" or case.priority = "PRIORITY_HIGH"

outcome:
    $count = count_distinct(case.response_platform_info.response_platform_id)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Analyst Backlog (Open Cases) - 7 days 
     case.assignee.email != ""
case.status = "OPENED"

$User = case.assignee.email

match:
    $User

outcome:
    $Open_Cases_Count = sum(if(case.status="OPENED", 1, 0))

order:
    $Open_Cases_Count desc
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. 
     case.status = "OPENED"

outcome:
    $total = count_distinct(case.response_platform_info.response_platform_id)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Top 10 MITRE ATT&CK Tactics - Last 7 Days 
     $Tactic = case.alerts.metadata.tags
$Tactic = /^TA+/

match:
    $Tactic

outcome:
    $Count = count_distinct(case.name)

order:
    $Count desc

limit:
    10
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. 
     case.incident = true
case.status = "OPENED"

outcome:
    $Count = count(case.name)
    Security Management Overview
    		 Provides centralized visibility into response performance and operational trends. It helps security teams track progress and make informed decisions to strengthen the security posture. Top 10 MITRE ATT&CK Techniques - Last 7 Days 
     $Technique = case.alerts.metadata.tags
$Technique = /^T1+/

match:
    $Technique

outcome:
    $Count = count_distinct(case.name)

order:
$Count desc

limit:
10

    Need more help? Get answers from Community members and Google SecOps professionals.

    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: