search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.39k stars 618 forks source link

"Total Time spend on case" calculated field #337

Open pottapitot opened 6 years ago

pottapitot commented 6 years ago

Request Type

Feature Request

Hi,

Is it possible to have "total time spend on case" field in the case. It would be based on the start time to close time (measured in hours or minutes). It would be helpful to calculate how much time was spend on a case or for multiple cases of the same type the average time spend on resolving similar cases to further improve the process.

woifi commented 6 years ago

Great request, would love to see that!

nomex commented 6 years ago

We also have this need. From the management perspective, the total time spend on a case is very important.

nadouani commented 6 years ago

This info could in fact be displayed in case details page, or list for closed case.

if you need stats on this info, you can have it in dashboards, using handlingDuration fields on case entity

mcvic1rj commented 6 years ago

Wouldn't this be Case -> computed.handlingDurationInHours /Minutes/Seconds?

nadouani commented 6 years ago

You mean, we forgot minutes? :D

mcvic1rj commented 6 years ago

@nadouani No minutes is there! You just beat me to the comment! The handingDuration fields are based off of the Date and Close date fields right?

nadouani commented 6 years ago

Yes, exactly

AzureIndustries commented 6 years ago

@pottapitot

I've been working on a time of completion for cases that shows how long the case has been open for. From a management perspective, is there also a need to see all the cases in a graphical form? Graphs or analytics such as mean time taken for each type of case or overall cases. This would be seen in another html page or maybe in a dashboard with the other graphs.

pottapitot commented 6 years ago

@AzureFlameGod It was not for viewing individual cases. I was planning to using it for average time based on case type (eg. phishing, malware). The idea was as below

  1. Create all case type templates
  2. Create the respective tasks in the case templates
  3. Categorize the tasks into detection (would not have a task), investigation and remediation/containment. (Putting a keyword before the task name (IV - investigation, RM - Remediation)
  4. Case #546 got implemented so I managed to get the time taken for each task.
  5. Create 3 custom metrics fields for each case (Detection Time, Investigation Time, Remediation Time)
  6. Each analyst when he closes the case will enter the metrics by adding the time on each task and categorizing based on the keyword next to the task.

Finally the dashboards would be

By

Does help me to identify which analyst needs more training, which alerts are need fine tuning, which cases need to have better implemented tasks I do hope perhaps 3,4 and 5 will be automated

dmuensterer commented 1 year ago

@pottapitot Did you make any progress in implementing this? How did you resolve the issue? Thanks. Thats's exactly what I need.