Skip to content

Commit

Permalink
Added new SLA OOB content: (demisto#2671)
Browse files Browse the repository at this point in the history 
* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* add scheme for sla/grid fields

* remove unneeded props

* try fix scheme

* fix scheme for trigger timers

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* Added new SLA OOB content:
- Upgraded phishing layout (summary + quickview)
- Added 3 new fields: Detection SLA, Remediation SLA and Time to Assignment
- Added a new SLA dashboard with new widgets
- Upgraded Phishing Investigation - Generic playbook - now utilizes new SLA features
- Added 3 new scripts:
1. A script to change remediation SLA automatically, upon change of severity of incident
2. A script that sends an Email of SLA breach, which can be set to run upon SLA breach
3. A script to change the Time to Assignment field (new field) upon owner change (from empty owner to some new owner)
- Added 5 new widgets of many different types, which will be presented in new SLA dashboard:
 1. Detection SLA by Status (pie)
 2. Remediation SLA by Status (pie)
 3. MTTD by Type (timeline)
 4. MTTR by Type (timeline)
 5. Mean Time to Detection (counter)
 6. Mean Time to Resolution (counter)

* new incidentfields file for 4.1 and dashboard field changes

* rollback of incidentfields.json due to creation of a new file for 4.1

* deleted unnecessary fromVersion fields

* added comma

* added comma

* comma?

* comma?

* descriptions added AGAIN

* removed description again

* add quickview layout

* Fixed descriptions and release notes

* Fixed descriptions and release notes

* Fixed some fields and seperated incidentfield files to 3 different files, one for each new field.

* tests

* Added release notes

* removed dev-prod fields

* Added phishing investigation playbook file, to support pre-4.1 versions.

* Updated fromversion to follow convention. Improved descriptions and examples in scripts.

* Fixed validation of playbook overlap. Because the old playbook became a "new" file, it caused a problem.

* Delete script-SendEmailOnSLABreach.yml

I am deleting the send email script and we'll open a separate issue

* Multiple fixes:
- SLA Dashboard widgets are now stretched out to fill the whole dashboard
- Widgets now display time in hours instead of seconds
- Script descriptions are now way more detailed and comprehensible
- Scripts now have arguments to make them testable
- Added test for the 2 new SLA scripts

* fixed id_set.json with rony

* removed CRLFs from id_set.json

* removed CRLFs from id_set.json

* removed CRLFs from id_set.json

* removed CRLFs from id_set.json

* removed duplicates from id_set.json

* Removed another dupe

* Removed more dupes

* Removed more dupes

* Removed random spaces at the end of lines

* Removed random spaces at the end of lines + dupes again

* Added spaces again where needed

* what

* still fighting id_set.json

* Update id_set.json

editing directly on GitHub to prevent trailing white-spaces removal

* Fixed a bug that would cause remediation timer to stop without being started
  • Loading branch information
@idovandijk
idovandijk authored and Anar Azadaliyev committed Jan 6, 2019
1 parent 39d18fe commit 0a79805
Show file tree
Hide file tree
Showing 22 changed files with 3,416 additions and 104 deletions.
260 changes: 260 additions & 0 deletions Dashboards/dashboard-SLA.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,260 @@
{
"id": "sla-dashboard",
"description": "A new dashboard to give you a good overview of your SLAs.",
"version": -1,
"fromVersion": "4.1.0",
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 30,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z",
"name": "SLA",
"layout": [
{
"id": "25a2e8f0-fd4e-11e8-a656-2b6c8cbabaee",
"forceRange": false,
"x": 6,
"y": 0,
"i": "25a2e8f0-fd4e-11e8-a656-2b6c8cbabaee",
"w": 3,
"h": 1,
"widget": {
"id": "fddd62ff-a411-4e6a-8213-e0277a9b95b5",
"version": 1,
"name": "Mean Time to Detection",
"dataType": "incidents",
"widgetType": "duration",
"query": "-category:job and detectionsla.runStatus:ended",
"sort": null,
"isPredefined": false,
"description": "The mean time (average time) to detection across all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default.",
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 30,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"keys": [
"avg|detectionsla.totalDuration"
]
},
"size": 0,
"category": ""
}
},
{
"id": "3747f820-fd4e-11e8-a656-2b6c8cbabaee",
"forceRange": false,
"x": 0,
"y": 0,
"i": "3747f820-fd4e-11e8-a656-2b6c8cbabaee",
"w": 3,
"h": 3,
"widget": {
"id": "1e54092d-1ed0-47a6-862d-893adc05e612",
"version": 1,
"name": "Detection SLA by Status",
"dataType": "incidents",
"widgetType": "pie",
"query": "-category:job and -detectionsla.runStatus:idle",
"sort": null,
"isPredefined": false,
"description": "The detection SLA status of all incidents that their severity was determined. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.",
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 30,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"groupBy": [
"detectionsla.slaStatus"
]
},
"size": 0,
"category": ""
}
},
{
"id": "3de5b1e0-fd4e-11e8-a656-2b6c8cbabaee",
"forceRange": false,
"x": 3,
"y": 0,
"i": "3de5b1e0-fd4e-11e8-a656-2b6c8cbabaee",
"w": 3,
"h": 3,
"widget": {
"id": "1767dee0-7f8c-48a5-8988-c58b9e713ab6",
"version": 1,
"name": "Remediation SLA by Status",
"dataType": "incidents",
"widgetType": "pie",
"query": "-category:job and -remediationsla.runStatus:idle",
"sort": null,
"isPredefined": false,
"description": "The remediation SLA status of all incidents that started a remediation process. The widget takes into account incidents from the last 30 days by default, and inherits new time range when the dashboard time changes.",
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 30,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"groupBy": [
"remediationsla.slaStatus"
]
},
"size": 0,
"category": ""
}
},
{
"id": "a48c1670-fdf1-11e8-a2fa-df5e7de7d45d",
"forceRange": false,
"x": 9,
"y": 0,
"i": "a48c1670-fdf1-11e8-a2fa-df5e7de7d45d",
"w": 3,
"h": 1,
"widget": {
"id": "mean-time-to-resolution",
"version": 169,
"name": "Mean Time To Resolution",
"dataType": "incidents",
"widgetType": "duration",
"query": "-category:job and status:closed",
"sort": null,
"isPredefined": true,
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 7,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"keys": [
"avg|openDuration",
"count|1"
]
},
"size": 0,
"category": ""
}
},
{
"id": "d2bbe430-02a1-11e9-878d-4fff182656eb",
"forceRange": false,
"x": 6,
"y": 1,
"i": "d2bbe430-02a1-11e9-878d-4fff182656eb",
"w": 6,
"h": 5,
"widget": {
"id": "mttd-by-type",
"version": 1,
"name": "MTTD by Type",
"dataType": "incidents",
"widgetType": "line",
"query": "-category:job and detectionsla.runStatus:ended",
"sort": null,
"isPredefined": false,
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 7,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"groupBy": [
"occurred(d)",
"type"
],
"keys": [
"avg|detectionsla.totalDuration / 60"
]
},
"size": 0,
"category": ""
}
},
{
"id": "e30f9430-02a1-11e9-878d-4fff182656eb",
"forceRange": false,
"x": 0,
"y": 3,
"i": "e30f9430-02a1-11e9-878d-4fff182656eb",
"w": 6,
"h": 3,
"widget": {
"id": "mttr-by-type",
"version": 168,
"name": "MTTR by Type",
"dataType": "incidents",
"widgetType": "line",
"query": "-category:job and status:closed",
"sort": null,
"isPredefined": true,
"dateRange": {
"fromDate": "0001-01-01T00:00:00Z",
"toDate": "0001-01-01T00:00:00Z",
"period": {
"byTo": "",
"byFrom": "days",
"toValue": null,
"fromValue": 7,
"field": ""
},
"fromDateLicense": "0001-01-01T00:00:00Z"
},
"params": {
"groupBy": [
"occurred(d)",
"type"
],
"keys": [
"avg|openDuration / (3600*24)"
]
},
"size": 0,
"category": ""
}
}
],
"isPredefined": false
}
37 changes: 37 additions & 0 deletions IncidentFields/incidentfield-detectionsla.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"closeForm": false,
"cliName": "detectionsla",
"fromVersion": "4.1.0",
"neverSetAsRequired": false,
"threshold": 72,
"id": "incident_detectionsla",
"group": 0,
"script": "",
"isReadOnly": true,
"system": false,
"content": true,
"unsearchable": false,
"version": -1,
"unmapped": false,
"hidden": false,
"type": "timer",
"editForm": false,
"description": "The time it took from incident creation until the maliciousness was determined.",
"associatedToAll": true,
"breachScript": "",
"associatedTypes": [],
"caseInsensitive": true,
"placeholder": "",
"useAsKpi": true,
"systemAssociatedTypes": null,
"locked": false,
"name": "Detection SLA",
"ownerOnly": false,
"required": false,
"modified": "2018-12-11T12:53:48.369705659Z",
"fieldCalcScript": "",
"selectValues": [],
"validationRegex": "",
"sla": 20,
"releaseNotes": "Added Detection SLA field"
}
37 changes: 37 additions & 0 deletions IncidentFields/incidentfield-remediationsla.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"closeForm": false,
"fromVersion": "4.1.0",
"cliName": "remediationsla",
"neverSetAsRequired": false,
"threshold": 72,
"id": "incident_remediationsla",
"group": 0,
"script": "",
"isReadOnly": true,
"system": false,
"content": true,
"unsearchable": false,
"version": -1,
"unmapped": false,
"hidden": false,
"type": "timer",
"editForm": false,
"description": "The time it took since remediation of the incident began, and until it ended.",
"associatedToAll": true,
"breachScript": "",
"associatedTypes": [],
"caseInsensitive": true,
"placeholder": "",
"useAsKpi": true,
"systemAssociatedTypes": null,
"locked": false,
"name": "Remediation SLA",
"ownerOnly": false,
"required": false,
"modified": "2018-12-11T12:53:56.816268002Z",
"fieldCalcScript": "",
"selectValues": [],
"validationRegex": "",
"sla": 7200,
"releaseNotes": "Added Remediation SLA field"
}
37 changes: 37 additions & 0 deletions IncidentFields/incidentfield-timetoassignment.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"closeForm": false,
"cliName": "timetoassignment",
"fromVersion": "4.1.0",
"neverSetAsRequired": false,
"threshold": 72,
"id": "incident_timetoassignment",
"group": 0,
"script": "",
"isReadOnly": true,
"system": false,
"content": true,
"unsearchable": false,
"version": -1,
"unmapped": false,
"hidden": false,
"type": "timer",
"editForm": false,
"description": "The time it took from when the incident was created until a user was assigned to it.",
"associatedToAll": true,
"breachScript": "",
"associatedTypes": null,
"caseInsensitive": true,
"placeholder": "",
"useAsKpi": true,
"systemAssociatedTypes": null,
"locked": false,
"name": "Time to Assignment",
"ownerOnly": false,
"required": false,
"modified": "2018-12-11T12:55:38.305896432Z",
"fieldCalcScript": "",
"selectValues": null,
"validationRegex": "",
"sla": 0,
"releaseNotes": "Added Time to Assignment field"
}
2 changes: 1 addition & 1 deletion IncidentFields/incidentfields.json
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
{
"releaseNotes": "-",
"incidentFields": [
{
"id": "incident_app",
Expand Down Expand Up @@ -1653,4 +1654,3 @@
}
]
}

Loading

0 comments on commit 0a79805

Please sign in to comment.