Security Operational Metrics

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Overview

Cloud SIEM provides security operational metrics to help you determine the effectiveness of your team in responding to and resolving security threats to your cloud environments. These metrics are shown in the out-of-the-box Cloud SIEM dashboard and are sent in the Cloud SIEM weekly digest reports. You can also create dashboards and monitors for them.

The security operational metrics section of the Cloud SIEM Overview dashboard

Operational metrics

datadog.security.siem_signal.time_to_detect
Name: Time to Detect (TTD)
Description: The time (in seconds) between when a matching log is triggered and when a signal is generated.
Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_acknowledge
Name: Time to Acknowledge (TTA)
Description: The time (in seconds) between when a signal is triggered and when an investigation on the signal begins.
Metric type: DISTRIBUTION
datadog.security.siem_signal.time_to_resolve
Name: Time to Resolve (TTR)
Description: The time (in seconds) it takes to close a signal starting from the time when you are first notified of the detection.
Metric type: DISTRIBUTION

How the metrics are calculated

The TTD, TTA, and TTR metrics are calculated based on these timestamps:

  1. The timestamp (T0) of the log that triggers a security signal.
  2. The timestamp (T1) of when the signal is generated.
  3. The timestamp (T2) of when the signal status is changed to under_review.
  4. The timestamp (T3) of when the signal status is changed to archived.
MetricHow the metric is calculated
Time to Detect (TTD)
datadog.security.siem_signal.time_to_detect
T1 - T0
Time to Acknowledge (TTA)
datadog.security.siem_signal.time_to_acknowledge
T2 - T1
Time to Resolve (TTR)
datadog.security.siem_signal.time_to_resolve
T3 - T1

Explore, visualize, and monitor the metrics

Use the Metrics Summary to see metadata and tags for the operational metrics. You can also see which dashboards, notebooks, monitors, and SLOs are using those metrics.

Use tags to filter the metrics to specific teams, sources, and environments. You can then create dashboards for those metrics to visualize the data or create monitors to alert you if the metrics exceed a specified threshold.

Further reading