Bringing SOC Efficiency Measurements into the Future (Part 1)

Almost anyone who has spent time around SIEM and security operations have seen a security event management funnel. I started building these in ArcSight in 2008 and 2009 for my ArcSight customers. I would have 10 to 12 scheduled reports in ArcSight that would output .csvs and then combine those into a master workbook with a bunch of formulas then would have to copy and paste into a PowerPoint or wiki. The original funnel looked like this:



Fast forward to 2019. This task can be automated using the JASK platform and its APIs. Gone are the need for complex formulas and manually updating numbers. Simply open the Google slide every thirty days and metrics are auto-generated. This can be done in one easy solution using Google Sheets, as described below.


1) Download and install it as a script in Google Sheets.

2) Get API KEY from the JASK Portal

3) Insert the following into a cell in Google Sheets to get the number of records.


  • The results will look like this: 


4) Insert the following into a cell in Google Sheets to get number of signals.


  • The results will look like this: 


5) Insert the following into a cell in Google Sheets to get the number of insights.


  • The results will look like this:


6) My Google Sheet now looks like this: 


7) Create a new Google slide. Create a reverse pyramid smart graphic.  I had to copy and paste one from Powerpoint.

8) Select and copy the data you need. Is your report usually weekly or monthly? In this case, I selected monthly.

  • Highlight Records and the cell below it, and copy and then paste into the Google slide. Select the link to the spreadsheet. This ensures that the numbers will be reflected on the slide when the spreadsheet is updated. (Repeat for signals and Insights)



9) Finished Automated Security Event Funnel. Simply open the slide every month and click update. The metrics are automatically updated!



One thing that stands out between the funnels is that in the old funnel, there were almost 5,000,000 correlations, yet only 10,448 were triaged/investigated. That means a large amount of filtering is done to look at events of interest. With JASK and the Adaptive Signal Clustering Engine, it continuously evaluates signals/correlations as they relate to an entity – there is no filtering, so all 319,300 signals are evaluated.

This is just the beginning. In future blog posts, we will discuss other workflow related metrics to pull out of the API. JASK has a very well documented and easy to use API which can be found on Github.


About the Author

Steven Dietz is technical director of field operations at JASK. With over 18 years of information security experience ranging from being an analyst to building world-class security operations, he demonstrates to potential customers how and why to use JASK products.


Share on