search

Operational Overview report guidance

hashtag
Introduction

The Operational Overview** **report provides a comprehensive set of visualizations to help communicate the operational value of the Vectra platform. This report complements the Executive Overview report which is catered to CISOs and security executives who need to bring high-level metrics to their board or executive-level meetings.

The visualizations in this report depict:

  • Detection and Alert Breakdown

    • Frequently Prioritized Hosts and Accounts

    • Top 20 Detections

    • MITRE ATT&CK Detection Breakdown

  • SOC Team Operations - Details your SOC team operations including the assignment workflow of prioritized alerts and the detection resolution outcomes.

    • SOC Team Operations

    • SOC Operations Breakdown

    • Assignment Usage

    • Please note that for any of the SOC Team Operations reports, your team must be actively using the New Close Workflow to generate the metrics required for the report to contain data.

Prioritized Alerts

  • The customer configurable priority threshold will be used to determine if a host or account entity was prioritized.

  • To change the priority threshold, navigate to Settings > Priority Threshold in your Vectra UI.

hashtag
RUX vs QUX

At the initial availability of the Operational Overview report, only RUX deployments are supported. QUX deployments are scheduled to be supported in the 9.8 release.

hashtag
Replacing the Operational Metrics Report

The Operational Overview report is the replacement for the older Operational Metrics report. Please see the following guidance:

  • The New Close Workflow is required to be enabled in order to use the Operational Overview report

    • Once the new close workflow is enabled, the Operational Metrics report will be disabled in your tenant and the new Operational Overview report will become available.

  • At launch, PDF download is not available for the Operational Overview report but is planned to be added in the future.

    • If PDF download is a requirement, if you disable the new close workflow, the Operational Metrics report will become available again.

  • Some discrepancies in metrics may be observed between the two different reports due to the different ways that calculations are made for the two generations of reports.

hashtag
Reporting Timeframe and Attack Surface Selector

Reporting Timeframe

There are two ways to pick a reporting timeframe:

  • Quick Presets - Allows you to select from 24 hours to 6 months in common increments.

  • Custom Time Range - Allows you to choose a specific timeframe. After choosing the days, the time can also be edited if desired.

  • The difference between "Last 30 days" and "Prior month" is that for the former, we fix the report's end date to the current date, and the report's start date to 30 days before the current date.

  • For the "Prior month" option, the report's start date is the first day of the prior month, while the report's end date is the last day of prior month.

    • For example: If it is currently Jun 15, the report would include data for all of May.

  • Last 30 days is 30 calendar days back from current day.

    • For example: If is is the 15th, it will go back 30 days from there (including the 15th as part of the 30 count of days).

    • For last 30 days, the report includes the current time and detections ingested up until that time.

  • As for time, it goes from midnight on the starting date, ie 00:00 to 23:59:59 on the end date.

Attack Surface

  • This dropdown will allow you to choose which Attack Surface you would like the report to include data for or to see data for all attack surfaces.

  • This will only show products that you have configured as a data source for your deployment.

hashtag
Frequently Prioritized Hosts and Accounts

  • These hosts and accounts in your environment were frequently prioritized as alerts within the selected reporting timeframe.

  • This list supports your SOC team’s understanding and audit of outliers from normal, expected activity.

  • This list shows up to 10 of the frequently prioritized hosts and accounts.

  • The Highest Score is the highest Urgency Score observed for the host or account within the reporting timeframe.

  • The Urgency Score is a combination of the Attack Rating and the Entity Importance.

  • The Peaked On value is the date and time in which the host or account was observed to have the reported Highest Score.

  • The Number of Times Prioritized is the count of the number of times the host or account was prioritized as an alert within the selected reporting timeframe.

RUX example shown below:

  • By default, this is sorted based on the number of times a host or account was prioritized during the reporting period.

    • Other columns that can be used to sort the output will show as clickable when hovering over them. Click to change the sort column or order.

hashtag
Top 20 Detections

  • These are the top 20 detections which were associated with a prioritized alert (host or account exceeding the set Urgency Score threshold) and observed in your environment after AI-Triage and user-created triage rules were applied.

  • These detections were either 1) closed as remediated, 2) closed as benign, or 3) belong to the set of all other prioritized detections which were triaged by a new filter rule or not closed.

RUX example shown below:

hashtag
MITRE ATT&CK Detection Breakdown

  • Vectra supports a significant coverage of the MITRE Enterprise ATT&CK Framework.

  • Review the MITRE ATT&CK mapping of the detections which were associated with prioritized alerts (hosts or accounts exceeding the set priority threshold) within the selected reporting timeframe.

  • This mapping should help to inform hunting, investigations, and Vectra’s MITRE ATT&CK coverage and detected tactics.

  • For more details about Vectra MITRE coverage and mapping please see:

    • Vectra's Coverage of MITRE ATT&CK and D3FEND

    • Mapping AWS Detections to MITRE ATT&CK

  • Interpreting the graph:

    • Looking at Discovery as an example in the chart below shows that tactic being used in 6 Network and 4 AWS Cloudtrail detections over the reporting period.

RUX example shown below:

hashtag
MTTA, MTTI, MTTR

These metrics begin the SOC Team Operations section of the report.

MTTA

  • Mean Time to Assignment

  • Minutes on Average from Alert Prioritization to Assignment: This metric is calculated by averaging the time from when a host or account is prioritized as an alert to when the prioritized alert has been assigned to a team member.

  • As noted, this metric is only for prioritized alerts (hosts or accounts exceeding the set priority threshold) which have been assigned.

MTTI

  • Mean Time to Investigate

  • Minutes on Average from Alert Assignment to Resolution: This metric is calculated by averaging the time from when a host or account is assigned to a team member to when the prioritized alert has been deprioritized through the resolution of associated detections.

  • As noted, this metric is only for prioritized alerts (hosts or accounts exceeding the set priority threshold) which have been deprioritized through the closure of its detections.

MTTR

  • Mean Time to Resolve

  • Minutes on Average from Alert Prioritization to Resolution: This metric is calculated by averaging the time from when a host or account is prioritized as an alert to when the prioritized alert has been deprioritized through the resolution of associated detections.

  • As noted, this metric is only for prioritized alerts (hosts or accounts exceeding the set priority threshold) which have been deprioritized through the closure of its detections.

RUX example shown below:

hashtag
SOC Operations Breakdown

  • This breakdown details the Mean Time to Assignment, Mean Time to Investigation, and Mean Time to Resolve of your SOC operations team during the selected reporting timeframe.

  • These metrics are indicative of workflow efficiency when prioritized alerts (hosts or accounts exceeding the set priority threshold) are assigned to team members and resolved through the closing of their associated detections.

RUX example shown below:

  • There must be 2 months of data in the system for the trend lines to show.

    • Until then, you can mouseover the current month to see the data for that month.

hashtag
Assignment Usage

  • This is a breakdown of your SOC team's usage of assignments.

  • It reports what percentage of prioritized alerts (hosts or accounts exceeding the set Urgency Score threshold) were assigned to a team member.

  • The use of assignments will inform and impact the accuracy of the Mean Time to Assignment and Mean Time to Investigation metrics.

RUX example shown below:

PreviousDashboards and ReportsNextExecutive Overview report guidance

Last updated

Was this helpful?