Here’s a nifty ES tuning tip that you might enjoy. We’ll be using some handy macros that are documented at Working_with_Notable_Events_from_Search, if you’d like to read up on the background.
What’s the most expensive, valuable, and constrained resource in a security team?
How many security analysts are there?
| `notable_owners` | stats count | eval sec_analysts=(count-1)
How long does it take them to forensically analyse an incident? We can get some hints by looking at the amount of review activity… Audit > Incident Review Audit and Audit > Suppression Audit are of course useful, but you can also do this sort of thing:
| `incident_review` | search status_default=false | timechart span=1day count by reviewer usenull=f
“Forensically analyze” is a loaded phrase though… it takes 3 seconds to suppress or close yet another administratively overridden known issue, but it can take hours or days to trace, resolve, and prevent the real thing. So let’s put a finger in the wind and say “one hour” is the target for an analyst to spend on an incident.
How many hours are there in the work day?
If you look at notable events, are there any rules that are generating more events than your analysts are capable of looking at?
| `notable_owners` | stats count | eval sec_analysts=(count-1) | eval analyst_capacity=(sec_analysts*12) | map search="search `notable`| stats count by source | where count>$analyst_capacity$"
There’s the correlation searches that need to be tuned.