SLA best practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SLA best practices

L2 Linker

Hi,

 I want to set sla times per severity type but it seems xsoar bind sla's to incident type, so i think i need to start each sla per severity in playbook by testing severity it is nearly clear for me. But i am confused what type of SLA should i create , xsoar gives you flexibility to create custom sla duration lets say;  response time, detect time, resolve time, investigation start time, cust_wait etc. Is there  any best practice guide to create sla types ? 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @MKececioglu 

 

Not sure if you can do it for a table output. But below is how you get it for chart.

Screen Shot 2022-05-19 at 8.24.53 pm.png

View solution in original post

6 REPLIES 6

L4 Transporter

You can use SLAs on Incident Types, or Start/Stop Timers in different places on the playbook. 

 

Check out the video 10 for SLAs & Timers in this series, it may be helpful:

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success...

L2 Linker

@MBeauchamp2 thanks for response, now i am able to crate timers for each severity. But i have 56 severity level with 2 different timer in it so now i have added my playbook some conditional task and managed to start related timer. The issue is that when it comes to report creation i need to sum all 5 sla timer duration and calculate an avarege time but as these are custom sla's i cannot find a proper way to do it.

L5 Sessionator

@MKececioglu Why 56? Are you creating multiple SLA Fields due to the SLA values per severity? If so, you can set the SLA for field by issuing the below command. The command can be called after the severity is set.  

 

!setIncident slaField=<SLA_Filed_CLI_NAME> sla=<Numeric Value in minutes>

 

Once an incident is closed you can use the `incident.openDuration` field to check the duration of the incident. You can also have an additional timer\sla that calculates the overall time. You cannot add the `sla.totalDuration` field in a report. 

L2 Linker

Hi @jfernandes1 ,

56 was a typo sorry, it is 5 severtiy indeed and for each severtiy i have 2 sla those are response time and resolution time. I have created 10 timer/ala based on this architecture and i am able to start these timers in playbook after test the sla condition in a conditional task. At the first response of an analyst playbook stops the response timer and after incident close by Default all timers stopped ( in this scenario resolution timer) all is Ok. But when it comes to a report to calculate these timer values for all incident in a time period i am confused about how to detect mean  times based on these custom timers. 

L5 Sessionator

Hi @MKececioglu 

 

Not sure if you can do it for a table output. But below is how you get it for chart.

Screen Shot 2022-05-19 at 8.24.53 pm.png

L2 Linker

Hi,

 

 

setincident automation changes sla for a specific timer and everything is clear now.  

  • 1 accepted solution
  • 4313 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!