Monitor Your Security Operations Activities
InsightIDR aggregates alert and investigation data across your entire organization and displays it in a single, powerful dashboard so that you can feel confident about your organization’s security posture. The Security Operations Activity dashboard synthesizes your data into actionable insights, making it easier to respond to alerts, report on threat trends, and analyze the overall effectiveness of your security team. Keep reading to learn about the different ways this powerful dashboard can help you successfully monitor your organization’s security operations!
The Security Operations Activity dashboard enables you to:
- Analyze your security team’s investigation activity.
- Understand investigation trends over a selected period of time.
- Determine how quickly investigations are being resolved.
- Review which alert types are triggered the most.
- Understand which part of the attack chain is the most targeted.
- Determine how often tickets are reopened by alert type.
Changing the granularity of your data
There are a couple of ways to change the granularity of data that appears on your Security Operations Activity dashboard. You can select a time range from the date picker at the top of the dashboard, which updates the scope of the data displayed in each card based on your selection. Additionally, some cards allow you to further change the granularity of the data by day, week, month, or quarter. Here are a few things to note about how date and time details are displayed:
- All date and time details are processed using the UTC time zone.
- View By Day: Starts at midnight each day.
- View by Week: Starts at midnight Monday each week.
- View by Month: Starts at midnight the first day of each calendar month.
- View by Quarter: Starts at midnight the first day of each calendar quarter.
Analyzing investigation activity
With InsightIDR, you can gain visibility into your security team’s performance and the overall threat trends facing your organization during a specified time range.
Analyze your team’s investigation activity
The Investigation Activity card lets you see which activities have been opened, assigned, closed, and reopened during a selected time range. For overall team performance, it is important to show accumulated activities of each type and how many are still in those states today. Ideally, there will be 0 investigations for each type (still open, still assigned, still re-opened) when viewing the results for “Today”.
Understand investigation activity trends over time
The Investigation Activity Trends card provides a visual representation of notable trends in your team’s investigations. You can determine whether the alert volume during a selected time frame is within the expectations set by your organization. You can view trends by analyst, alert type, attack chain, and month. We also calculate the percentage of increase or decrease in closed investigations during the specified time range.
Healthy security team trends look like all 3 lines follow each other closely. Each opened investigation should be quickly assigned and closed as soon as possible. As you broaden the date granularity from the “View by Day” dropdown, counts from each line should get closer to each other.
Determine whether investigations are resolving more quickly over time
The following card calculates the average time to close investigations, providing you with clear visibility into the efficiency of your team’s response to threats.
Handling investigations takes time. When a security team is running at peak performance, the Average Time to Close over time should be a flat or near-level trend. The Average Time to Assign should be non-zero. Analyst investigation assignment should be encouraged by the team.
Understand how quickly investigations are being resolved by alert type
The following card helps you to understand the efficiency of your security team’s response across multiple alert types so you can identify areas for improvement. This card calculates both the average time to assign and the average time to close a ticket across the top ten alert types. You can change the scope of the data that displays on the card by selecting a specific time range.
How does Top 10 work for this card?
As there are two sorting options available in this card, InsightIDR identifies the Top 10 Alert Types with the highest average time to close, and performs sorting within those 10 Alert Types. In other words, sorting by “Average Time to Assign” and “Average Time to Close” is always completed within the top 10 alert types from “Average Time to Close”.
Use the Average for All Alerts as the general barometer for all Alert Types to compare to. As you monitor your organization’s alert activity, you may find that certain trends warrant closer scrutiny. For example, if the Average time to Close for a single alert type is higher than the Average for All Alerts, it could indicate a lack of familiarity handling investigations of this type or that certain security team procedures, like promptly closing investigations, are being neglected.
Reviewing Attack Trends
To better understand incoming attack vectors, InsightIDR breaks down the alerts into categories so that you can identify attack trends and their overall impact to your organization.
Determine which alert types are triggered the most
InsightIDR provides visibility into the alerts that are generating the most activity so that you can quickly understand the riskiest event sources on your network.
The following card displays the top 10 Alert Types opened within the selected time period. The trend sparkline visualization for each Alert Type shows inbound threat behavior.
Understand the most targeted parts of the attack chain
Understanding the most targeted parts of the Attack Chain is useful when analyzing your organization’s current security infrastructure. Ideally there should be very few investigations of the Mission Target type. If there is a large number of Mission Target investigations compared to other Attack Chain types, it is worth looking into the causes of those investigation alerts and addressing those potential vulnerabilities.
The following card allows you to easily identify the most targeted areas in your organization during a specified time range.
Improving Analyst Efficiency
The Security Operations Activity dashboard displays the number of investigations that were reopened across each alert type over a selected period of time, providing you with visibility into the efficiency of your team and potential areas for improvement.
Reopened investigations mean that the resolution performed, which includes whitelisting options, was done incorrectly at the time of closing. This type of error indicates inefficient security operation and should be minimized.