Views:
Trend Vision One can track how well cases adhere to SLAs, ensuring timely and effective case processing. Set clear expectations for case handling, receive timely notifications before an SLA breach, and ensure consistent service quality across the incident response process. SLA metrics include the following:
  • Time to acknowledge (TTA): How long it takes to open a new case and change its status to In progress for the first time after creation of the Workbench alert or insight.
  • Time to close (TTC): How long it takes to change the case status to Closed after creation of the case.
  • Time to investigate (TTI): How long it takes to perform the first response action after the case status is initially changed to In progress.
  • Time to respond (TTR): How long it takes to manually perform the last response action, or run a security playbook, after creation of the Workbench alert or insight.
Use the SLA settings in Case Management to define, monitor, and manage targets depending on case type and priority.

Procedure

  1. In Case Management, select gear_icon=fc9a51ad-35af-4fe3-92c6-5e41b2dfc5d9.pngSLA settings.
  2. Click the tab for the type of case:
    • Workbench cases
    • Risk event cases
  3. Toggle On to enable SLA settings.
  4. Define the SLA targets.
    1. Select the Case priority. Selecting All removes any priority-based targets. For priority-based, you can only set one target per priority level, must begin with P0, and add each priority level in decreasing order.
    2. Select the targets you want to enable:
      • TTA target (Workbench only)
      • TTR target (Workbench only)
      • TTC target
    3. Set a target period of at least one minute.
    4. To specify more than one priority-based target, click + Case priority then repeat steps a through c.
    5. To change the calculation for TTR and TTI, click Change calculation and select from the options then click Save. This change affects all cases and corresponding widget data.
      • Original calculation uses the last manual response action when calculating times to respond and investigate.
      • Flexible calculation uses the first of the selected actions to occur. Choose from any combination of these options:
        • First manual response action
        • First response action a security playbook performs on the impact scope or a highlighted object
        • First addition of notes or comments
        • First time the case is closed
        • First time a security playbook closes the case
        • First time the findings change
  5. Set reminders for specified recipients at designated times. These notifications can arrive via automatic emails, case log entries, and webhooks.
    1. Select when to send SLA target notifications.
      • To remind someone of the time remaining, select the number (0.5 to 48) of hours before the target time to send a notification. If the number is greater than the target time (for example, the TTA target is one day and you select 48 hours), the system cannot send a notification.
      • To alert someone that a target time has elapsed, which means breaching the SLA, select At the target time.
    2. Select who receives SLA target notifications.
    3. Specify the webhook or email addresses if you select Others.
  6. Click Save.