topic SLA best practices in Cortex XSOAR Discussions

SLA best practices

MKececioglu — Mon, 16 May 2022 17:39:59 GMT

Hi,

I want to set sla times per severity type but it seems xsoar bind sla's to incident type, so i think i need to start each sla per severity in playbook by testing severity it is nearly clear for me. But i am confused what type of SLA should i create , xsoar gives you flexibility to create custom sla duration lets say; response time, detect time, resolve time, investigation start time, cust_wait etc. Is there any best practice guide to create sla types ?

Re: SLA best practices

MBeauchamp2 — Mon, 16 May 2022 21:55:00 GMT

You can use SLAs on Incident Types, or Start/Stop Timers in different places on the playbook.

Check out the video 10 for SLAs & Timers in this series, it may be helpful:

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success-engineering-training-video/ta-p/484604

Re: SLA best practices

MKececioglu — Wed, 18 May 2022 13:37:09 GMT

@MBeauchamp2 thanks for response, now i am able to crate timers for each severity. But i have 56 severity level with 2 different timer in it so now i have added my playbook some conditional task and managed to start related timer. The issue is that when it comes to report creation i need to sum all 5 sla timer duration and calculate an avarege time but as these are custom sla's i cannot find a proper way to do it.

Re: SLA best practices

jfernandes1 — Thu, 19 May 2022 02:37:57 GMT

@MKececioglu Why 56? Are you creating multiple SLA Fields due to the SLA values per severity? If so, you can set the SLA for field by issuing the below command. The command can be called after the severity is set.

!setIncident slaField=<SLA_Filed_CLI_NAME> sla=<Numeric Value in minutes>

Once an incident is closed you can use the `incident.openDuration` field to check the duration of the incident. You can also have an additional timer\sla that calculates the overall time. You cannot add the `sla.totalDuration` field in a report.

Re: SLA best practices

MKececioglu — Thu, 19 May 2022 07:16:59 GMT

Hi @jfernandes1 ,

56 was a typo sorry, it is 5 severtiy indeed and for each severtiy i have 2 sla those are response time and resolution time. I have created 10 timer/ala based on this architecture and i am able to start these timers in playbook after test the sla condition in a conditional task. At the first response of an analyst playbook stops the response timer and after incident close by Default all timers stopped ( in this scenario resolution timer) all is Ok. But when it comes to a report to calculate these timer values for all incident in a time period i am confused about how to detect mean times based on these custom timers.

Re: SLA best practices

jfernandes1 — Thu, 19 May 2022 10:38:15 GMT

Hi @MKececioglu

Not sure if you can do it for a table output. But below is how you get it for chart.

Re: SLA best practices

MKececioglu — Mon, 06 Jun 2022 12:32:54 GMT

Hi,

setincident automation changes sla for a specific timer and everything is clear now.