How Can I Calculate/Measure Mean Time To Contain a Security Incident in Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 hours ago - last edited 3 hours ago
How Can I Calculate/Measure Mean Time To Contain a Security Incident in Security Incident Response?
Dear ServiceNow Community Colleagues, I would greatly appreciate any help/guidance on this:
I have been asked by a client to calculate, measure and show on a Performance Analytics Dashboard, the measurement : 'Mean Time to Contain' (Average Time to Contain) a Security Incident, in the Security Incident Response (SIR) module, including showing this for historical records.
'Contain' is one of the Lifecycle States, that the Security Incident can be set to, for any period of time.
Please kindly provide guidance on the metrics and calculation, the automated / formula indicators and most importantly, what is the Script I need to use, to calculate 'Mean Time to Contain' for an SIR (on the Security Incident table)?
Is this even possible to calculate to gather historical records (using Performance Analytics) for 'Mean Time to Contain', or can this only be established by setting up a scripted 'Metric' and then measured going forward, by gathering duration for the time Security Incidents are in the 'Contain' state, going forwards (but not possible for historical measurement) ?
Thanks very much as always, for any guidance & advice on how to achieve this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 hours ago
hey @WazzaJC
Yes — this is possible in ServiceNow SIR and can be shown in Performance Analytics.
Mean Time to Contain (MTTC) is typically calculated as:
(First time the Security Incident enters the “Contain” lifecycle state) – (Created time)
…and then averaged across incidents.
Historical reporting
This can also be calculated for historical records, as long as the lifecycle/state field changes were tracked in the platform (normally via sys_audit / record history). If the state field was not audited, then you’ll only be able to measure it going forward.
Recommended approach
The cleanest way is to build a PA scripted indicator source that:
looks up the first time the record moved into “Contain”
calculates the difference from sys_created_on
returns the duration (seconds)
script
(function getMeanTimeToContainSeconds(current) {
var STATE_FIELD = "lifecycle_state";
var CONTAIN_VALUE = "contain";
if (!current || !current.isValidRecord() || !current.sys_created_on)
return 0;
var audit = new GlideRecord("sys_audit");
audit.addQuery("documentkey", current.sys_id);
audit.addQuery("fieldname", STATE_FIELD);
audit.addQuery("newvalue", CONTAIN_VALUE);
audit.orderBy("sys_created_on");
audit.setLimit(1);
audit.query();
if (!audit.next())
return 0;
var created = new GlideDateTime(current.sys_created_on);
var contained = new GlideDateTime(audit.sys_created_on);
var diffMs = contained.getNumericValue() - created.getNumericValue();
if (diffMs <= 0)
return 0;
return Math.floor(diffMs / 1000);
})(current);
Once the indicator is collecting, you can display MTTC on PA widgets and trend it over time, plus break it down by assignment group, priority, etc.
*************************************************************************************************************************************
If this response helps, please mark it as Accept as Solution and Helpful.
Doing so helps others in the community and encourages me to keep contributing.
Regards
Vaishali Singh
