About Key Performance Indicators

Starting from version 5.1, TheHive provides valuable insights into event and incident time metrics, enabling you to track key performance indicators (KPIs) for cases and alerts.

These KPIs are displayed by default on all cases and alerts in TheHive. You can also integrate them into dashboards and case reports.

This topic defines each of these indicators.

Time to detect (TTD)

The time it takes for your security team to detect abnormal activity that may indicate malicious, suspicious, or risky behavior in your environment. This metric helps assess the effectiveness of your monitoring tools and detection capabilities.

Time to triage (TTT)

The time it takes for your security team to assess and prioritize a detected alert, determining its relevance, severity, and required response. It reflects how efficiently alerts are reviewed and escalated for investigation.

Time to acknowledge (TTA)

The time it takes for your security team to acknowledge an event by transitioning its status to In Progress. This measures the responsiveness of your team after detecting a potential security incident.

Time to qualify (TTQ)

The time it takes for your security team to analyze an alert and determine its validity—whether it's a true positive, a false positive, or requires further investigation. This metric helps measure the accuracy and speed of the qualification process.

Time to resolve (TTR)

The time it takes to fully resolve an incident after it has been marked In Progress. This includes investigation, remediation, and closure, indicating the efficiency of your incident response process.

---

To view the formulas for each indicator, refer to the Key Performance Indicator Formulas topic.

For more information on these KPIs, we recommend you consult this SecurityScorecard blog post.

Next steps

• Hide Key Performance Indicators
• Measure Case Performance
• Measure Alert Performance