MTTR (Mean Time to Resolution/Recovery/Respond) measures how long it takes to fully complete an investigation or resolve an incident. This is the key metric for tracking investigation completion time in SOC performance dashboards.

By adding all access attempts to the Risk Index and then increasing the Criticality of critical assets, the engineer ensures all authentication activity is tracked while prioritizing findings involving high-value assets. This approach leverages risk-based alerting without flooding the SOC with unnecessary notable events.

Correlation search throttling is used to prevent multiple notable events from being created for the same condition within a defined time window. Adjusting throttling reduces duplicate findings and ensures only meaningful notables are generated.

Security reports provide stakeholders (executives, compliance officers, and security teams) with insights into security posture, risks, and recommendations.
Key Features of Effective Security Reports
High-Level Summaries
Stakeholders don't need raw logs but require summary-level insights on threats and trends.
Actionable Insights
Reports should provide clear recommendations on mitigating risks.
Visual Dashboards & Metrics
Charts, KPIs, and trends enhance understanding for non-technical stakeholders.

An index-based search should be used when the raw event fields contain more detail than the data model. Data models normalize and may omit certain fields, so searching the index directly ensures all relevant information is available for the detection.