Bringing SOC Efficiency Measurements into the Future (Part 2)

In the previous blog post, we showed how easy it is to automate the security event funnel using the JASK API. Now, we will show you how to expand the funnel by customizing workflow inside the JASK platform and pulling the additional metrics via API.



The first thing we need to do is customize the workflow inside the JASK platform. That can be done by navigating to configuration > users > workflow.



We can see by default there are three status by default inside the platform: New, In Progress and Closed. These can be modified to meet the needs of any Security Operations Center workflow.

In this example, we will show how to customize it based on the federal agency incident categories found here. I have found this to be a good starting point for any incident classification.

The image below shows what the customization looks like once adopting the additional categories.



Now, when closing out the insights, the analyst will pick one of the categories which will allow us to have better metrics on the type of incidents affecting the organization. There are a couple of different ways to do this.

In the first attempt, we develop a script that pulled aggregate API and pulls down the JSON data as follows:




Now, when we call the workflow function inside a cell it returned:



We then quickly used the = ImportJSONFromSheet(“json”,,“noTruncate”) and get the following:




That is a lot better! The only problem with the above is that the query is not time restricted. It queries all insights and aggregates on the workflow stage. In the future, we will research and show how we can change the query to modify the time. In the meantime, we show that with the robust JASK API, we can do this a different way.

We will use the same import JSON function that we did in developing the basic event funnel.  This time, we add workflow status:<your workflow stage>, and we also utilize /meta/total to only bring back the number of insights that match. Without the /meta/total, it will pull back all the insights and their associated signals.





Now, just repeat the step above for the rest of the workflow status we created above. We end up with a table that looks like this in google sheets:



I then take column B and copy and paste it into my google presentation and with a little formatting, we now have an automated way to break down insights based on their incident categories. This is a lot more valuable from a tracking perspective.



In the next blog post, we will continue to show different metrics that can be pulled out of the JASK API.


About the Author

Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.


Share on