cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
The Toolkit for Data-Driven SOCs
By
liatlishaa
Published Feb 17 2021 08:30 AM 9,925 Views
liatlishaa
Microsoft
‎Feb 17 2021 08:30 AM

The Toolkit for Data-Driven SOCs

‎Feb 17 2021 08:30 AM

Gauge the performance of your team and detections using our new out-of-the-box workbooks

 

Building a Security Operations Center (SOC) from scratch or revamping one is a daunting challenge. We have developed a “Toolkit” to help SOC managers and analysts improve performance. The toolkit is a powerful set of 3 workbooks, all customizable and easily accessible, that help you gauge the most fundamental metrics. With these workbooks, you can measure analysts’ efficiency, detection coverage, alert performance, and more.

 

We have enhanced the workbooks to provide cross-workspace support allowing for an effective single pane of glass view even in multi-workspace use cases. Each workbook gauges specific performance metrics.

 

The three workbooks are;

  • Detection efficiency
  • SOC efficiency
  • Incident overview

 

Detection efficiency

 

The modern SOC handles multiple data sources and needs to detect threats and provide insights to the analyst. Since SOC resources are limited, a delicate balance must be struck between maximizing the detection of threats and minimizing the occurrence of false positives.

 

In the detection efficiency workbook, we try to provide different perspectives on detections.

  • Alert rules - a holistic view of our detections provides us with insights into the detections' overall coverage. In this section, we can see our MITRE ATT&CK framework coverage, overall rules status, rules that require attention, and a view of the detections suite.
  • Alerts - in this view, we will look at the alerts created from our detections. Since not all rules will create incidents, we can monitor the noisiness of the detections and see which ones require tuning. In the alerts insights section, we provide insights into detections that are not firing and might require attention and track the load from different providers.
  • Incidents - The load on the SOC is determined by the number of incidents we create. Here we can monitor which detections created incidents and the reasons incidents are closed. When looking at the incident load and the closing reason, we can deduce which detections require attention and tuning.

 

Iterating on all 3 views in a repetitive process will improve our detection efficiency, SOC performance, and, ideally, the organization’s detection suite. This continuous process should adapt our detections to the ever-changing security threat landscape.

 

AnalyticsEfficiency.gif

 

 

There are two ways to access this workbook –

  1. The workbooks gallery - You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu and selecting the Templates tab. Choose Detection efficiency from the gallery and click one of the View saved workbook and View template buttons.
  2. The Analytics pane - You can find the new workbook in the Alert rules action panel at the top of the pane. If a saved workbook were created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template. More details can be found in the documentation.

 

SOC efficiency

 

With the out-of-the-box security operations efficiency workbook template, you can monitor your SOC operations. The workbook contains the following metrics:

  • Incident created over time.
  • Incidents created by closing classification, severity, owner, and status
  • Mean time to triage
  • Mean time to closure
  • Incidents created over time by severity, owner, status, product, and tactics.
  • Time to triage percentiles
  • Time to closure percentiles
  • Mean time to triage per owner
  • Recent activities
  • Recent closing classifications

 

Efficiency.gif

 

There are two ways to access this workbook –

  1. The workbooks gallery - You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu.
  2. The incidents pane:  You can find the new workbook in the Incidents action panel at the top of the pane. If a saved workbook was created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template. More details can be found in the documentation.

 

Incident overview

 

With this out-of-the-box Incident overview workbook template, you can customize the data your analysts get on a given incident, including a view of auditing data, recommendations, and more on a given incident. The workbook contains the following metrics:

  • Incident’s title, alerts, status, bookmark, severity, owner, etc.
  • Closing reasons of similar incidents
  • Recent actions that were taken on the incident
  • Incident’s comments
  • Time to closure/triage

 

Incident.gif

 

 

There are 2 ways to access this workbook –

  1. The workbooks gallery - You can find this new workbook template by choosing Workbooks from the Azure Sentinel navigation menu.
  2. The incidents pane - You can find the new workbook in the Incident preview panel on the incidents list's right side. If a saved workbook was created from the workbook template, the button would lead to the saved workbook. If not, it will lead to the workbook template.

 

Thanks to all the reviewers @Ofer_Shezaf@Yechiel_Levin@madesous, @krisquick, and @Sarah_Young, and special thanks to @romarsia for the collaboration

2 Comments
Version history
Last update:
‎Feb 17 2021 08:30 AM
Updated by:
Labels