building-soc-metrics-and-kpi-tracking

Featured

Builds SOC performance metrics and KPI tracking dashboards measuring Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), alert quality ratios, analyst productivity, and detection coverage using SIEM data. Use when SOC leadership needs operational visibility, continuous improvement tracking, or executive-level reporting on security operations effectiveness.

AI & Automation 15,448 stars 1852 forks Updated 1 weeks ago Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%

100

Recency 20%

Frontmatter 20%

Documentation 15%

100

Issue Health 10%

License 10%

100

Description 5%

100

Skill Content

# Building SOC Metrics and KPI Tracking ## When to Use Use this skill when: - SOC leadership needs data-driven visibility into operational performance - Continuous improvement programs require baseline measurements and trend tracking - Executive reporting demands quantified security posture and ROI metrics - Staffing decisions need objective workload and capacity data - Compliance audits require documented SOC performance evidence **Do not use** metrics as punitive measures against analysts — metrics should drive process improvement, not individual performance management. ## Prerequisites - SIEM with 90+ days of incident and alert disposition data - Incident ticketing system (ServiceNow, Jira) with timestamp data for incident lifecycle - Analyst shift schedules and staffing data - ATT&CK Navigator for detection coverage tracking - Dashboard platform (Splunk, Grafana, or Power BI) ## Workflow ### Step 1: Define Core SOC Metrics Framework Establish the key metrics aligned to NIST CSF functions: | Metric | Definition | Target | NIST CSF | |--------|-----------|--------|----------| | MTTD | Time from threat occurrence to SOC detection | <15 min | Detect | | MTTA | Time from alert to analyst acknowledgment | <5 min | Respond | | MTTI | Time from acknowledgment to investigation start | <10 min | Respond | | MTTC | Time from investigation to containment | <1 hour | Respond | | MTTR | Time from detection to full resolution | <4 hours | Recover | | FP Rate | Percentage of fal...

Details

Author: mukul975
Repository: mukul975/Anthropic-Cybersecurity-Skills
Created: 3 months ago
Last Updated: 1 weeks ago
Language: Python
License: Apache-2.0

Integrates with

Grafana · Monitoring

Similar Skills

Semantically similar based on skill content — not just same category

Web & Frontend Listed

building-soc-metrics-and-kpi-tracking

构建 SOC 绩效指标和 KPI 跟踪仪表盘，使用 SIEM 数据衡量平均检测时间（MTTD）、平均响应时间（MTTR）、告��质量比率、分析师生产力和检测覆盖率。适用于 SOC 领导层需要运营可视化、持续改进跟踪或高管级安全运营效能报告的场景。

26 Updated 1 months ago

killvxk

AI & Automation Listed

alert-prioritization

Analyzes SIEM alert pipelines for rule optimization, alert fatigue reduction, criticality scoring, asset-based prioritization, and correlation rule design using NIST CSF and detection engineering principles. USE THIS SKILL WHEN: - Your SOC team is drowning in alerts and you need to reduce noise - Someone asks about alert fatigue, false positive rates, or SIEM tuning - You need to design or evaluate an alert criticality scoring framework - A project involves SIEM rules (Splunk, Elastic, Sentinel, Chronicle, QRadar) - You are building or reviewing detection-as-code pipelines - Someone mentions MITRE ATT&CK coverage gaps or detection engineering - You need to optimize correlation rules or SOAR playbook coverage - Alert-to-incident conversion rates are below 30% - Analysts are bulk-closing alerts or MTTA is trending upward TRIGGER PHRASES: "alert fatigue", "SIEM tuning", "detection rules", "alert prioritization", "false positive rate", "correlation rules", "SOC optimization", "alert scoring", "detection engineeri

5 Updated today

tinh2

AI & Automation Featured

building-soc-escalation-matrix

Build a structured SOC escalation matrix defining severity tiers, response SLAs, escalation paths, and notification procedures for security incidents.

15,448 Updated 1 weeks ago

mukul975