- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
How Can I Calculate/Measure the Average/Mean Time To Contain a Security Incident in Security Incident Response?
Dear ServiceNow Community Colleagues, I would greatly appreciate any help/guidance on this:
I have been asked by a client to calculate, measure and show on a Performance Analytics Dashboard, the measurement : 'Mean Time to Contain' (Average Time to Contain) a Security Incident, in the Security Incident Response (SIR) module, including showing this for historical records.
'Contain' is one of the 'States', that the Security Incident can be set to, for any period of time.
Please kindly provide guidance on the metrics and calculation, the automated / formula indicators and most importantly, what is the Script I need to use, to calculate 'Mean Time to Contain' for an SIR (on the Security Incident table)?
Is this even possible to calculate to gather historical records (using Performance Analytics) for 'Mean Time to Contain', or can this only be established by setting up a scripted 'Metric' and then measured going forward, by gathering duration for the time Security Incidents are in the 'Contain' state, going forwards (but not possible for historical measurement) ?
Thanks very much as always, for any guidance & advice on how to achieve this.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
What did you already try?
Did you check on existing (OOB) indicators on other tables? Looking at something like "Average Time to Publish" on knowledge should already give you some guidance.
It references the 'Knowledge.Publish.Days' script you could use to add your own logic for the SIR.
I don't have SIR installed on my PDI, so I can't check, but it could be that you need to create a metric to run your job on, if 'contain' is not registered as date/time field somewhere (like 'resolved' or 'closed').
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
What did you already try?
Did you check on existing (OOB) indicators on other tables? Looking at something like "Average Time to Publish" on knowledge should already give you some guidance.
It references the 'Knowledge.Publish.Days' script you could use to add your own logic for the SIR.
I don't have SIR installed on my PDI, so I can't check, but it could be that you need to create a metric to run your job on, if 'contain' is not registered as date/time field somewhere (like 'resolved' or 'closed').
Please mark any helpful or correct solutions as such. That helps others find their solutions.
Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
@Mark Manders thanks very much Mark, I appreciate the feedback/advice. I have done this, you are correct. In my use case, I will have to set up a Metric to gather these stats, as 'Contain' is not a registered date/time field - it is merely a Lifecycle 'State'.
