this post was submitted on 14 Nov 2024
1 points (100.0% liked)

cybersecurity

10 readers
1 users here now

This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.

founded 1 year ago
MODERATORS
[email protected]
1
JQ functions for processing Elastic Security alerts (zerobytes.monster)
submitted 1 week ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
The original post: /r/cybersecurity by /u/Traut on 2024-11-14 15:31:24.

While building a SOC metrics template (a blog post here), I made some JQ functions to handle all the calculations directly on Elastic Security data. These cover

  • calculating MTTR based on workflow\_status\_updated\_at and status fields of the alert obj
  • computing SLA % based on the pre-set hour limits per severity
  • computing alert load per analyst based on pre-set shifts

The funcs do not require you to use BlackStork Fabric, they are standalone JQ funcs.

Code on GitHub — https://github.com/blackstork-io/fabric-templates/blob/main/cybersec/secops/soc-weekly-activity-overview-elastic-security.utils.jq

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here