Overview

This feature is for customers on AWS.

Chronicle SOAR enables you to track and analyze every aspect of your security operation using Advanced Reports which synchronize with Tableau, the world’s leading data visualization software.
This integration with Tableau provides you with complete visibility and control over your security operation and a clear view of its business aspects.

Using Advanced Reports requires installation and deployment of a dedicated Tableau server. Please contact Support to discuss license and installation details.

Creating Users to see Advanced Reports

The amount of users that you can add will be defined according to your Advanced Reports license.

  1. In the  platform, navigate to Settings > Organization > User Management.
  2. Create/Edit a user with the following levels of access to Advanced Reports according to your requirements:
    • No Access
    • Viewer – this level of user will only be able to see Tableau reports that were specifically shared with them from the Advanced Reports screen in the  platform.
    • Editor – this user can see all the Tableau reports. They can also upload reports and share reports.
  3. Make sure to Save.

Marketplace Advanced Reports

Once Chronicle SOAR has been set up, navigate to  Marketplace > Analytics tab to download out of the box reports. Once you have downloaded them, you will be able to view them from the Reports tab.

Below are examples of some of the the out-of-the-box reports Chronicle SOAR have defined for you:

Security Posture and Sensors Performance
This report provides clear visibility to threat status and trends over time. It also provides insights into sensors’ performance trends and false-positive metrics, thereby providing actionable insights for sensors’ tuning and improvement.

Playbook Analysis
This report provides metrics for automation performance and helps you understand how automation improves your SOC performance and reduces handling times.

Performance Analysis – Handling times
This report presents the mean time to detect and resolve metrics for alerts and cases, on multiple cohorts such as teams, alert types, and stages, and provides visibility to your SOC performance.

Performance Analysis – Analysts Workload
This report provides a clear view of your SOC’s workload via alerts and events distributions, open vs closed cases’ trends, alert grouping performance over time, and false positive trends.

For more information on Advanced Reports, click here.

Viewing Advanced Reports

  1. Navigate to the Reports screen and click on Advanced Reports.
  2. On the left side you will see a list of available Reports that you have downloaded from the Marketplace.
  3. Let’s take a look at the MSSP Monthly Report as an example.
  4. At the top of the report several buttons are displayed which are embedded Tableau functionality and as such will only carry out actions seen in Tableau. As such, Chronicle SOAR only recommends using the embedded Download and Refresh buttons.

Share Reports

  1. At the top of each screen on the right is the option to share reports using the Share icon
  2. Click Share
  3. Select the environments for the reports that you want to share with Chronicle SOAR users of those environments.
  4. If you want to share the reports with users who have view only access, make sure to select the checkbox.

Deleting Reports

Reports can only be deleted on the Tableau dashboard.