Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Cases] KPIs #117905

Closed
cnasikas opened this issue Nov 8, 2021 · 4 comments
Closed

[Cases] KPIs #117905

cnasikas opened this issue Nov 8, 2021 · 4 comments
Labels
Feature:Cases Cases feature needs design Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.1.0 v9.0.0

Comments

@cnasikas
Copy link
Member

cnasikas commented Nov 8, 2021

An analyst expects KPIs while viewing a single case. Examples:

  • How many alerts are within this case?
  • How many hosts are represented from the attached alerts?
  • How many users are represented from the attached alerts?
  • What actions have been taken? (e.g. Isolate Host)
  • How long has this Case been open?
  • How long ago was the oldest alert?
  • What are the total connectors I have ever used?
  • When did I change status?

Related Issue: https://github.com/elastic/security-team/issues/1779
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-cases (Feature:Cases)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-cases (Team:Threat Hunting:Cases)

@jonathan-buttner jonathan-buttner mentioned this issue Nov 23, 2021
Closed
9 tasks
@cnasikas cnasikas added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed Team:Threat Hunting:Cases labels Jan 10, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@jonathan-buttner
Copy link
Contributor

jonathan-buttner commented Jan 31, 2022
edited by peteharverson
Loading

These are the KPIs that have been implemented for 8.1

Testing

  • Hosts and Users
    • Ensure the host and user counts reflect the number of unique users and host ids attached to the case (users is the user information from an Alert)
    • To test this generate and attach alerts to the case
  • Alert count
    • Attach various amounts of alerts to a case and ensure that the total count of the alerts is accurate
  • How long has the case been open
    • Ensure that the opened date is correct
  • Total Connectors
    • Attach multiple connectors to the case and ensure that the count is accurate for all connectors that have been added
  • How long as the case been open
    • Ensure that the status durations are updated appropriate (they are a sum of the periods for each particular status)
    • Try changing the status of the case between open, in-progress, and closed, various times

@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
@nastasha-solomon nastasha-solomon mentioned this issue Feb 15, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Cases Cases feature needs design Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) v8.1.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@kobelb @cnasikas @elasticmachine @jonathan-buttner