How Can I Calculate/Measure 'Mean Time To Contain' a Security Incident in Security Incident Response

WazzaJC
Tera Expert

4 hours ago

How Can I Calculate/Measure 'Mean Time To Contain' a Security Incident in Security Incident Response?

 

Dear ServiceNow Community Colleagues

 

I have been asked by a client to calculate, measure and show on a Performance Analytics Dashboard, the 'Mean Time to Contain' a Security Incident, in the Security Incident Response module.

 

Please kindly provide guidance on the metrics and calculation, the automated / formula indicators and most importantly, what is the Script I need to use, to calculate 'Mean Time to Contain' an SIR (on the sn_si_incident table)?

 

Thanks very much as always, for any guidance & advice on how to achieve this.

0 Helpfuls
  • 52 Views
1 REPLY 1

Dr Atul G- LNG
Tera Patron

4 hours ago

something i got on chatgpt, please check its validtity

 

In ServiceNow, calculating the Mean Time to Contain (MTTC) involves measuring the average duration between the identification of a security incident and the successful implementation of containment measures to stop further damage. MTTC is crucial for identifying bottlenecks in the incident response lifecycle, specifically during the "Containment" phase.

 

Formula for MTTC
DrAtulGLNG_0-1771411555709.gif

 

 
  • Containment Time: When the breach is stopped (e.g., in ServiceNow, when the State moves to "Containment" or similar).
  • Detection Time: When the incident was first identified/reported
How to Calculate in ServiceNow
Because "Containment" is a specific stage within Security Operations (SecOps), this calculation often requires Performance Analytics (PA) or customized metrics to track the state change accurately.
  1. Use Security Incident Response (SIR) Metrics:
    • Navigate to Metric Definitions (metric_definition_list.do) to see existing metrics.
    • Review the "Time to Identify" or "Time to Contain" metrics (often on the sn_si_incident table).
    • These metrics track the duration between security incident states (e.g., from "Analysis" to "Containment").
  2. Performance Analytics (PA):
    • Use Performance Analytics to create a breakdown on the Security Incident Response Dashboard.
    • Configure a Performance Analytics Indicator to calculate the average (MC) of the duration between the detection and containment time stamps.
  3. Database View & Reporting:
    • Utilize the sn_si_security_incident_view database view to connect metric instances with security incident fields (like Assignment Group or Severity).
    • Create a Report based on metric_instance to report on the "Containment" metric definition
*************************************************************************************************************
Regards
Dr. Atul G. - Learn N Grow Together
ServiceNow Techno - Functional Trainer
LinkedIn: https://www.linkedin.com/in/dratulgrover
YouTube: https://www.youtube.com/@LearnNGrowTogetherwithAtulG
Topmate: https://topmate.io/dratulgrover [ Connect for 1-1 Session]

****************************************************************************************************************