Setting the SLA
A Service Level Agreement (SLA) represents a commitment by the SOC to perform specific tasks, such as investigation or remediation of specific cases within a specified duration of time.
SLA Types:
Alert SLA: the maximum committed time for closing an alert. Alert SLA is mainly based on alert attributes (Alert Type, Alert Priority, etc.), but can also be based on other attributes (such as case attributes).
Case SLA: the maximum committed time for closing a case. Case SLA is mainly based on case attributes (Case Stage, Case Priority, etc.), but can also be based on other attributes (such as alert attributes).
An SLA can be configured for an Alert, a Case, or both.
When configuring an SLA to an alert, the start time of the SLA begins when the alert is created.
When configuring an SLA to a case, the start time of the SLA begins when the case is created. However, when the SLA is configured by Case Stage, the start time begins at the start of the stage.
An SLA can be configured directly through the Settings or it can be configured using a Playbook action in a Playbook or a Playbook Block to run automatically.
If there are multiple SLA rules set for a Case, the SLA that will take first priority is the one that was set by the playbook action. If no playbook action has been set, the Case Stage SLA will be used. If no Case Stage SLA has been set, the Case Priority SLA will be used.
If there are multiple SLA rules that are set for an Alert, the SLA that will take first priority is the one that was set by the playbook action. If no playbook action has been set, the Alert Type SLA will be used. If no Alert Type SLA has been set, the Alert Priority SLA will be used.
To add an SLA:
- Navigate to Settings > Environments > SLA.
- Click the icon on the top right of the screen.
- Select whether the SLA will be configured by an alert type (either all alerts or specific ones), an alert priority (e.g. informative, low) , a case stage (e.g. triage, investigation), or a case priority (e.g. informative, low).
- Add the time frames for the SLA Period (the amount of time that can pass before SLA is breached) and the SLA Critical Period (time before SLA enters the critical phase). In the example below, the SLA Period is set to 10 minutes and the SLA Critical Period is set to 6 minutes, which means that the actual Critical Period will last for 4 minutes.
- Click Add.
SLA Status:
In the Cases tab, an SLA that is created for a Case is indicated by an hourglass with the letter "C" next to it. If the SLA was created for an Alert, it will be indicated by an hourglass with the letter "A" next to it. The color of the SLA indicates its status:
Active Case SLA | |
Active Alert SLA | |
Case SLA Critical Period | |
Alert SLA Critical Period | |
Case SLA Breached | |
Alert SLA Breached |
A green countdown timer indicates an active Case SLA at the top of the screen of the selected Case.
For cases with multiple alerts, the Alerts icon in the Cases header in the Cases screen will display all of the Alert SLAs in one popover. Each Alert SLA can be clicked on to view the individual alert.
To pause/resume an SLA:
Note that you cannot pause a Case SLA.
- Click the 3 dots on the right side of the Alert tab and select Pause alert SLA.
- Enter the reason for pausing the Alert SLA, then click Pause.
- A black hourglass next in the Alert tab indicates that the SLA is paused.
- To resume the Alert SLA, click Alert Options on the right side of the Alert tab and select Resume alert SLA.
- The hourglass next in the Alert tab will turn green indicating that the SLA is now running again.