Incident Detection Service Report

Wiki > Incident Detection Service Report

This report is valid in a Managed Service environment and provides insights into the performance and the effectiveness of the Incident Detection Service provided by the Managed Service Provider (MSP).

Triage Metrics

These metrics provide insights into the effectiveness of the MSP Triage process.

  • Average Time to Acknowledge: Depicts the average time to acknowledge a task in one-hour intervals over the previous 24 hour reporting period
  • Average Time to Close: Depicts the average time to close a task in one hour intervals over the previous 24 hour reporting period.
  • Closure Rate: Depicts the task closure rate in one hour intervals over the previous 24 hour period.
  • Incident Rate: Depicts the incident rate in one hour intervals over the previous 24 hour reporting period.
  • Last Modified Tasks: Depicts the most recently modified task entries.
  • Longest Open Tasks: Depicts the tasks that have been open for the longest amount of time.
  • Longest Unacknowledged Tasks: Depicts the tasks that have been unacknowledged for the longest amount of time.
  • Open Tasks by Owner: Depicts the number of open tasks for each unique owner contained in the Task Triage database.
  • Open Tasks by Priority: Depicts the percentage of open tasks by priority level.
  • Tasks by Priority and Owner: Depicts the number of open items by priority for a specified user.

Incidents from Correlated Sources

  • Top 10 Source Addresses of Alarms: Displays the top 10 source addresses of intrusion detection alarms.
  • Top 10 Alarms: Displays the top 10 alarms by the signature ID that have been generated.
  • Top 10 Destinations of Alarms: Displays the top 10 destination IP addresses that have been targeted for attack.
  • Top 10 Requested URL/FTP Destinations: Displays the top 10 URL or FTP destinations requested by internal users.
  • Top 20 Bandwidth Ports: Displays the 20 ports with the most bandwidth usage.
  • Top 20 Bandwidth Users: Displays the top 20 bandwidth users.
  • Top 20 Connections by Address: Displays the top 20 users of connections.
  • Top 20 Connections by Port: Displays the 20 ports with the most connections.
  • Top 20 Denied Inbound by Address: Displays the top 20 foreign addresses that were denied inbound access.
  • Top 20 Denied Inbound by Port: Displays the 20 ports with the most denied connections.
  • Top 20 Denied Outbound by Address: Displays the top 20 local addresses that were denied outbound access.

Detection and Prevention Report

  • Control Efficacy: The efficacy of protection detection based on the invocation of the Content rules. Display to 10 content rules triggered by the customer.
  • Incident Distribution by Categories: Insights into the customer incident profile for the last month distributed by the assigned Incident Categories.

Future Ideas

  • Return-on-Investment: This will be valid when the operational metrics are tied back to the Risk Profile and Business Impact Analysis provided by the GRC platform if in scope. It can help quantify how much potential cost saving has been made for both time and monetary terms due to mitigated incidents and/or timely response.
  • Compliance Posture: GRC platform can be capitalized to measure and report against the mandatory compliance requirements, however, this will require further analysis and wider stakeholder discussions to measure its viability and implementation.
  • Vulnerability Profile: Vulnerability profile can be reported against as the corresponding details are gradually shared by the customer. Common reporting areas are:
    • Least Recently Scanned: Lists assets in order of the longest duration since the last scan.
    • Most Vulnerable Assets By Business Rating: Lists the assets in order of business rating and the aggregate vulnerability severity score.
    • Most Vulnerable Assets By Count: Lists the assets in order of the number of vulnerabilities associated with an asset.
    • Most Vulnerable Assets By Severity: Lists the assets in order of the aggregate vulnerability severity score.
    • Vulnerability by Severities: Depicts the detected vulnerabilities as a percentage of the total organized by severity value.