01-18-2024 11:18 PM
Hello Everyone,
We wanted to calculate the Mean time to detection in XSIAM. Hence we require fields name which has creation time of the alert and actual event generated time of event related to that alert. I believe the difference between these two will provide us the expected result.
Reagrds,
Vinay
01-19-2024 07:48 AM
I have tried to analyze the different fields available in the "Alerts" dataset. After analyzing multiple alerts and correlating with the actual events, i came up with the following conclusion.
Field
_time: This field has timestamp of the actual event which qualified as alert.
event_timestamp: this field has the event timestamp in epoch time format. This value is same as _time most of the time.
local_insert_ts: This field seems to be having alert creation timestamp.
Based on my analysis, i think "local_insert_ts" - "_time" will give us the detection time.
Can anyone verify and let me know your inputs and validation.
01-19-2024 06:51 AM
Vinay-AS,
This metric may not give you what you're really after, as your essentially only going to be measuring the latency between a message being sent to XSIAM and the time it takes XSIAM to process the event to a dataset and run the correlation rule to create the alert. Calculating a true MTTD may require log analysis on the affected systems to determine when a threat truly first began affecting the endpoint and when we first generated an alert. Just because an alert was fired, doesn't mean that is the first time the endpoint was affected.
All that being said, there isn't a simple query to do this, as the alert dataset does not have information about the raw contributing events, it only knows when the alert was created. You would have to determine what the first contributing event was and then query that data to determine what the timestamp was for that event and compare with the creation time of the alert.
01-19-2024 07:48 AM
I have tried to analyze the different fields available in the "Alerts" dataset. After analyzing multiple alerts and correlating with the actual events, i came up with the following conclusion.
Field
_time: This field has timestamp of the actual event which qualified as alert.
event_timestamp: this field has the event timestamp in epoch time format. This value is same as _time most of the time.
local_insert_ts: This field seems to be having alert creation timestamp.
Based on my analysis, i think "local_insert_ts" - "_time" will give us the detection time.
Can anyone verify and let me know your inputs and validation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
