Builds SOC metrics and KPI tracking dashboards from SIEM data, measuring MTTD, MTTR, alert quality ratio, analyst productivity, and detection coverage. For SOC leaders needing operational visualization and reports.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
以下情况使用本技能:
Builds SOC KPI dashboards tracking MTTD, MTTR, alert quality, productivity, and detection coverage from SIEM data for operational visibility and reporting.
Builds SOC KPI dashboards tracking MTTD, MTTR, alert quality ratios, analyst productivity, and detection coverage from SIEM data for operational visibility and reporting.
Builds real-time incident response dashboards in Splunk, Elastic Kibana, or Grafana for SOC analysts to track affected systems, containment status, IOC spread, and response timelines during IR coordination and reporting.
Share bugs, ideas, or general feedback.
以下情况使用本技能:
不适用于将指标作为针对分析师的惩罚性措施——指标应推动流程改进,而非个人绩效考核。
建立与 NIST CSF 功能对齐的关键指标:
| 指标 | 定义 | 目标值 | NIST CSF |
|---|---|---|---|
| MTTD | 从威胁发生到 SOC 检测的时间 | <15 分钟 | 检测 |
| MTTA | 从告警到分析师确认的时间 | <5 分钟 | 响应 |
| MTTI | 从确认到调查开始的时间 | <10 分钟 | 响应 |
| MTTC | 从调查到遏制的时间 | <1 小时 | 响应 |
| MTTR | 从检测到完全解决的时间 | <4 小时 | 恢复 |
| 误报率(FP Rate) | 误报告警的百分比 | <30% | 检测 |
| 真报率(TP Rate) | 真实告警的百分比 | >40% | 检测 |
| 覆盖率(Coverage) | 具有主动检测的 ATT&CK 技术 | >60% | 检测 |
| 驻留时间(Dwell Time) | 攻击者在网络中被检测前的时间 | <24 小时 | 检测 |
| 升级率(Escalation Rate) | 一级告警升级至二/三级的比例 | 15-25% | 响应 |
平均检测时间(MTTD):
index=notable earliest=-30d status_label="Resolved*"
| eval mttd_seconds = _time - orig_time
| where mttd_seconds > 0 AND mttd_seconds < 86400 --- 排除数据质量问题
| stats avg(mttd_seconds) AS avg_mttd,
median(mttd_seconds) AS med_mttd,
perc90(mttd_seconds) AS p90_mttd,
perc95(mttd_seconds) AS p95_mttd
by urgency
| eval avg_mttd_min = round(avg_mttd / 60, 1)
| eval med_mttd_min = round(med_mttd / 60, 1)
| eval p90_mttd_min = round(p90_mttd / 60, 1)
| table urgency, avg_mttd_min, med_mttd_min, p90_mttd_min
平均响应时间(MTTR):
index=notable earliest=-30d status_label="Resolved*"
| eval mttr_seconds = status_end - _time
| where mttr_seconds > 0 AND mttr_seconds < 604800 --- <7 天
| stats avg(mttr_seconds) AS avg_mttr,
median(mttr_seconds) AS med_mttr,
perc90(mttr_seconds) AS p90_mttr
by urgency
| eval avg_mttr_hours = round(avg_mttr / 3600, 1)
| eval med_mttr_hours = round(med_mttr / 3600, 1)
| eval p90_mttr_hours = round(p90_mttr / 3600, 1)
| table urgency, avg_mttr_hours, med_mttr_hours, p90_mttr_hours
MTTD/MTTR 随时间趋势:
index=notable earliest=-90d status_label="Resolved*"
| eval mttd_min = (_time - orig_time) / 60
| eval mttr_hours = (status_end - _time) / 3600
| bin _time span=1w
| stats avg(mttd_min) AS avg_mttd_min, avg(mttr_hours) AS avg_mttr_hours,
count AS incidents by _time
| table _time, incidents, avg_mttd_min, avg_mttr_hours
告警处置分析:
index=notable earliest=-30d
| stats count AS total,
sum(eval(if(status_label="Resolved - True Positive", 1, 0))) AS tp,
sum(eval(if(status_label="Resolved - False Positive", 1, 0))) AS fp,
sum(eval(if(status_label="Resolved - Benign", 1, 0))) AS benign,
sum(eval(if(status_label="New" OR status_label="In Progress", 1, 0))) AS pending
| eval tp_rate = round(tp / total * 100, 1)
| eval fp_rate = round(fp / total * 100, 1)
| eval signal_noise = round(tp / (fp + 0.01), 2)
| table total, tp, fp, benign, pending, tp_rate, fp_rate, signal_noise
分析师生产力指标:
index=notable earliest=-30d status_label="Resolved*"
| stats count AS alerts_resolved,
avg(eval((status_end - status_transition_time) / 60)) AS avg_triage_min,
dc(rule_name) AS unique_rule_types
by owner
| eval alerts_per_day = round(alerts_resolved / 30, 1)
| sort - alerts_resolved
| table owner, alerts_resolved, alerts_per_day, avg_triage_min, unique_rule_types
班次工作负载分布:
index=notable earliest=-30d
| eval hour = strftime(_time, "%H")
| eval shift = case(
hour >= 6 AND hour < 14, "Day (06-14)",
hour >= 14 AND hour < 22, "Swing (14-22)",
1=1, "Night (22-06)"
)
| stats count AS alerts, dc(owner) AS analysts by shift
| eval alerts_per_analyst = round(alerts / analysts / 30, 1)
| table shift, alerts, analysts, alerts_per_analyst
ATT&CK 覆盖率得分:
| inputlookup detection_rules_attack_mapping.csv
| stats dc(technique_id) AS covered_techniques by tactic
| join tactic type=left [
| inputlookup attack_techniques_total.csv
| stats dc(technique_id) AS total_techniques by tactic
]
| eval coverage_pct = round(covered_techniques / total_techniques * 100, 1)
| sort tactic
| table tactic, covered_techniques, total_techniques, coverage_pct
数据源覆盖率:
| inputlookup expected_data_sources.csv
| join data_source type=left [
| tstats count where index=* by sourcetype
| rename sourcetype AS data_source
| eval status = "Active"
]
| eval source_status = if(isnotnull(status), "Collecting", "MISSING")
| stats count by source_status
| table source_status, count
月度 SOC 高管摘要:
--- 按类别统计事件摘要
index=notable earliest=-30d status_label="Resolved*"
| stats count by urgency
| eval order = case(urgency="critical", 1, urgency="high", 2, urgency="medium", 3,
urgency="low", 4, urgency="informational", 5)
| sort order
--- 与上月对比
index=notable earliest=-60d
| eval period = if(_time > relative_time(now(), "-30d"), "本月", "上月")
| stats count by period, urgency
| chart sum(count) AS incidents by urgency, period
--- 前 5 位事件类别
index=notable earliest=-30d status_label="Resolved - True Positive"
| top rule_name limit=5
| table rule_name, count, percent
安全态势记分卡:
| makeresults
| eval metrics = mvappend(
"MTTD: 8.3 min (Target: <15 min) | STATUS: GREEN",
"MTTR: 3.2 hours (Target: <4 hours) | STATUS: GREEN",
"FP Rate: 27% (Target: <30%) | STATUS: GREEN",
"Detection Coverage: 64% (Target: >60%) | STATUS: GREEN",
"Analyst Utilization: 78% (Target: 60-80%) | STATUS: GREEN",
"Incident Backlog: 12 (Target: <20) | STATUS: GREEN"
)
| mvexpand metrics
| table metrics
跟踪改进举措及其效果:
--- 改进举措追踪
| inputlookup soc_improvement_initiatives.csv
| eval status_color = case(
status="Completed", "green",
status="In Progress", "yellow",
status="Planned", "gray"
)
| table initiative, start_date, target_date, status, metric_impact, baseline, current
举措示例:
initiative,start_date,target_date,status,metric_impact,baseline,current
Risk-Based Alerting,2024-01-15,2024-03-15,Completed,Alert Volume,-84%,287/day
Sigma Rule Library,2024-02-01,2024-04-01,In Progress,ATT&CK Coverage,61%,64%
SOAR Phishing Playbook,2024-02-15,2024-03-30,In Progress,Phishing MTTR,45min,18min
Analyst Training Program,2024-01-01,2024-06-30,In Progress,TP Rate,31%,41%
| 术语 | 定义 |
|---|---|
| MTTD | 平均检测时间——从威胁发生到 SOC 产生告警的平均时间 |
| MTTR | 平均响应时间——从检测到事件解决的平均时间 |
| MTTA | 平均确认时间——从告警生成到分析师分配的平均时间 |
| 信噪比(Signal-to-Noise Ratio) | 真实告警与总告警数之比——越高越好 |
| 驻留时间(Dwell Time) | 攻击者在环境中未被检测的持续时间——检测有效性的关键指标 |
| 分析师利用率(Analyst Utilization) | 分析师用于有效调查的时间占比(相对于管理性事务) |
SOC 绩效报告 — 2024 年 3 月
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
关键指标:
指标 当前值 目标值 趋势 状态
MTTD 8.3 分钟 <15 分钟 -12% 绿色
MTTR 3.2 小时 <4 小时 -18% 绿色
误报率 27% <30% -5% 绿色
真报率 41% >40% +3% 绿色
ATT&CK 覆盖率 64% >60% +3% 绿色
每分析师每日告警 24 条 <50 条 -84% 绿色
事件摘要:
总事件数: 147(关键: 3,高: 23,中: 78,低: 43)
平均解决时间: 3.2 小时(关键: 1.8h,高: 2.9h,中: 4.1h)
SLA 合规率: 94%(目标: >90%)
改进亮点:
[1] RBA 部署将每日告警从 1,847 条降至 287 条(-84%)
[2] 新增 Sigma 规则为覆盖率新增 12 项 ATT&CK 技术
[3] SOAR 钓鱼响应手册将钓鱼 MTTR 降低 60%
待改进领域:
[1] 横向移动检测覆盖率为 58%(低于 60% 目标)
[2] 夜班 MTTD 比白班慢 23%
[3] 4 个关键漏洞扫描工单超过 SLA 期限