About Key Performance Indicators#
Starting from version 5.1, TheHive provides valuable insights into event and incident time metrics, enabling you to track key performance indicators (KPIs) for cases and alerts.
These KPIs are displayed by default on all cases and alerts in TheHive. You can also integrate them into dashboards and case reports.
This topic defines each of these indicators.
Time to detect (TTD)#
The time it takes to create a case or alert in TheHive after the event occurs. This metric helps assess the effectiveness of your monitoring tools and detection capabilities.
Time to triage (TTT)#
The time it takes for your security team to acknowledge a case or alert by changing its status to In Progress after its creation in TheHive. It reflects how efficiently alerts and cases are reviewed and escalated for investigation.
Time to acknowledge (TTA)#
The time it takes for your security team to acknowledge a case or alert by changing its status to In Progress after the event occurs. This measures the responsiveness of your team after detecting a potential security incident.
Time to qualify (TTQ)#
The time it takes for your security team to analyze an alert and determine whether it is a true positive or false positive, resulting in case closure or merging into a case. This metric helps measure the accuracy and speed of the qualification process.
Time to resolve (TTR)#
The time it takes for your security team to fully resolve an incident after it has been marked In Progress. This includes investigation, remediation, and closure, indicating the efficiency of your incident response process.
For more information on these KPIs, consult this SecurityScorecard blog post.