Hey there,
I would first check out the baseline Metric Definitions on the Security Incident table
- This will show you what particular metrics are being measured and for what fields
-
Metrics > Definitions > Table = sn_si_incident
-
Would start with reviewing the Metric named "Time to identify"
-
This captures the duration of time between the SIR State going beyond the State of Draft to Analysis (which tends to indicate the Security Incident is picked up)
-
You may need to create a separate metric if we want to measure a different duration (e.g. Time to go to from Draft -> Analysis).
-
-
-
Then, check out the baseline database view, that glues together the metric instances and SIR table
-
In the left nav, go to [sn_si_security_incident_view.list]
-
This is the table that is used to create reports on the actual metrics being calculated in SIR
-
You'll have access to both the Metric instance (e.g. Duration, Metric) and SIR fields (e.g. Assignment Group, Priority, Category, etc) to build queries and reports from
-
I suspect the Metric named "Time to identify" might be close enough to what you are looking for, and if not a similar Metric Definition could be crafted to capture the duration of the exact scenario you are looking to measure, then you could create your reports on that broadly or for a particular Team from the database view (sn_si_security_incident_view).
The idea would be to first get a Metric going that measures what you need, then query/report off the database view that stitches together the SIR table with the Metric instance table (to show the attached metrics for each SIR).
There is a baseline report, on the Security Incident Manager Overview, Dashboard that reports on the "Time to Identify" metric for Security Incidents (Avg Time to Identify):
