Solved: Re: Track Mean time to Respond

d_patel_dj · 05-06-2025 07:11 AM

Hi,

I'm looking to track Mean Time to Respond (MTTR) for our SecOps team. Specifically, I want to measure the duration between an alert's creation (when it's initially assigned to the general 'analyst' role) and when it's subsequently assigned to an individual analyst.

Is it possible to track this specific interval within SecOps?

Thanks 🙂

ddiserens

@d_patel_dj

The easiest way to track this would be to implement stage changes.

Every alert that comes in will begin in the triage stage. As you progress in the playbook with automated and manual actions, use the "Change Case Stage" Action to move the case to another stage.

Case Stages are customizable under SOAR Settings -> Case Data -> Case Stages

Once you have this defined you will be able to go into your SOAR dashboard and use the ROI Chart.

with the type = Avg. stage transition time. Then select which two stages you would like to track, I selected from triage to Investigation.

View solution in original post

ddiserens

@d_patel_dj

The easiest way to track this would be to implement stage changes.

Every alert that comes in will begin in the triage stage. As you progress in the playbook with automated and manual actions, use the "Change Case Stage" Action to move the case to another stage.

Case Stages are customizable under SOAR Settings -> Case Data -> Case Stages

Once you have this defined you will be able to go into your SOAR dashboard and use the ROI Chart.

with the type = Avg. stage transition time. Then select which two stages you would like to track, I selected from triage to Investigation.

d_patel_dj

Thanks for this @ddiserens - will try this way 🙂