Security Operational Metrics
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Overview
Cloud SIEM provides security operational metrics to help you determine the effectiveness of your team in responding to and resolving security threats to your cloud environments. These metrics are shown in the out-of-the-box Cloud SIEM dashboard and are sent in the Cloud SIEM weekly digest reports. You can also create dashboards and monitors for them.
Operational metrics
datadog.security.siem_signal.time_to_detect
- Name: Time to Detect (TTD)
- Description: The time (in seconds) between when a matching log is triggered and when a signal is generated.
- Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_acknowledge
- Name: Time to Acknowledge (TTA)
- Description: The time (in seconds) between when a signal is triggered and when an investigation on the signal begins.
- Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_resolve
- Name: Time to Resolve (TTR)
- Description: The time (in seconds) it takes to close a signal starting from the time when you are first notified of the detection.
- Metric type: DISTRIBUTION
How the metrics are calculated
The TTD, TTA, and TTR metrics are calculated based on these timestamps:
- The timestamp (
T0
) of the log that triggers a security signal. - The timestamp (
T1
) of when the signal is generated. - The timestamp (
T2
) of when the signal status is changed to under_review
. - The timestamp (
T3
) of when the signal status is changed to archived
.
Metric | How the metric is calculated |
---|
Time to Detect (TTD)
datadog.security.siem_signal.time_to_detect | T1 - T0 |
Time to Acknowledge (TTA)
datadog.security.siem_signal.time_to_acknowledge | T2 - T1 |
Time to Resolve (TTR)
datadog.security.siem_signal.time_to_resolve | T3 - T1 |
Explore, visualize, and monitor the metrics
Use the Metrics Summary to see metadata and tags for the operational metrics. You can also see which dashboards, notebooks, monitors, and SLOs are using those metrics.
Use tags to filter the metrics to specific teams, sources, and environments. You can then create dashboards for those metrics to visualize the data or create monitors to alert you if the metrics exceed a specified threshold.
Further reading
Más enlaces, artículos y documentación útiles: