Security Operational Metrics

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Overview

Cloud SIEM provides security operational metrics to help you determine the effectiveness of your team in responding to and resolving security threats to your cloud environments. These metrics are shown in the out-of-the-box Cloud SIEM dashboard and are sent in the Cloud SIEM weekly digest reports. You can also create dashboards and monitors for them.

The security operational metrics section of the Cloud SIEM Overview dashboard

Operational metrics

datadog.security.siem_signal.time_to_detect
Name: Time to Detect (TTD)
Description: The time (in seconds) between when a matching log is triggered and when a signal is generated.
Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_acknowledge
Name: Time to Acknowledge (TTA)
Description: The time (in seconds) between when a signal is triggered and when an investigation on the signal begins.
Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_resolve
Name: Time to Resolve (TTR)
Description: The time (in seconds) it takes to close a signal starting from the time when you are first notified of the detection.
Metric type: DISTRIBUTION

How the metrics are calculated

The TTD, TTA, and TTR metrics are calculated based on these timestamps:

  1. The timestamp (T0) of the log that triggers a security signal.
  2. The timestamp (T1) of when the signal is generated.
  3. The timestamp (T2) of when the signal status is changed to under_review.
  4. The timestamp (T3) of when the signal status is changed to archived.
MetricHow the metric is calculated
Time to Detect (TTD)
datadog.security.siem_signal.time_to_detect		T1 - T0
Time to Acknowledge (TTA)
datadog.security.siem_signal.time_to_acknowledge		T2 - T1
Time to Resolve (TTR)
datadog.security.siem_signal.time_to_resolve		T3 - T1

Explore, visualize, and monitor the metrics

Use the Metrics Summary to see metadata and tags for the operational metrics. You can also see which dashboards, notebooks, monitors, and SLOs are using those metrics.

Use tags to filter the metrics to specific teams, sources, and environments. You can then create dashboards for those metrics to visualize the data or create monitors to alert you if the metrics exceed a specified threshold.

Further reading

Más enlaces, artículos y documentación útiles:

Investigate Cloud SIEM Security SignalsDOCUMENTATION more more Getting started with dashboardsDOCUMENTATION more more Getting started with monitorsDOCUMENTATION more more Learn more about the Metrics SummaryDOCUMENTATION more more