Tracking Incident Progress Using SLA Metrics

Archer Cyber Incident & Breach Response includes built-in metrics and reports that provide SOC organizations with insight into where teams are spending the most time in the Incident process.

On this page

Track Total Time

Archer uses calculations to track the total time spent by L1 and L2 handlers, as well as the time spent by status, (or the amount of time an Incident Record remains in each stage of the Security Incident advanced workflow). 

If an L2 handler assigns the incident record to the L1 handler, Archer keeps track of how much time each user spent in that particular stage.

For example, if an L2 handler spent 10 minutes in an Incident record that had a status of In Progress before reassigning it to an L1 handler, who then spent 30 minutes in the record (while it remained in the In Progress state), the total amount of time per status would appear as follows:

The L1 Queue Time and L2 Queue Time is calculated based on the total time spent in the respective incident queues minus the time the record was in the Remediation status.

Incident example

Incident Status

The following table describes how the Time Spent by Status calculation is based on status updates.

Incident Status

Description

New

Default status when a record is created.

Assigned

Incident has been assigned to an L1 Incident Handler, but the Handler has not yet started working on the incident.

In Progress

The L1 Incident Handler has started working on the incident.

Escalated

The L1 Incident Handler has escalated the incident to an L2 Incident Handler.

An Incident record remains in the Escalated status until the incident escalation process has completed. When Archer calculates the time spent in the Escalated status, the system takes the total overall time spent in the Escalated Status, which includes time spent in each of the following escalation stages: 

  • Escalation Status: New
  • Escalation Status: Assigned
  • Escalation Status: Forensic Analysis In Progress
  • Escalation Status: Forensic Analysis Completed

Returned to Level 1

The L2 Incident Handler has reviewed the incident and found that the escalation is not valid. For example, the L1 Incident Handler may have missed checks before they escalated the incident.

Remediation Requested

The L2 Incident Handler has completed their analysis and found items that require remediation.

Remediation Completed

The required remediation has been completed.

Invalid

After review, the information in the incident does not reflect a security compromise or malicious activity.

Closed

All tasks have been resolved and the incident is not tied to any open investigations or breaches.