Event Lifecycle Performance Metrics

This article provides definitions and information on the metrics recorded for External Threat events and related enforcement actions. This data can be viewed by downloading event data from your workspace using the button at the top right of the events screen.

The metrics are designed to reflect the key stages of the lifecycle of each event from first creation to resolution, and to provide a general overview of event triage and enforcement performance, including visibility into which parts of the process of addressing threats are taking the most and least time. 

Most metrics are universal across all event-types / customers, however, those related to browser blacklists / blocking via Google Safe Browsing and Microsoft SmartScreen are specific only to phish events, and the pending status for enforcements  is only applicable to customers who subscribe to RiskIQ's managed security services to have their external threats reviewed and actioned by the RiskIQ incident response team.

*    Applicable only where there is an enforcement ID associated to the event (else blank)

**  Applicable only to phish events (metrics not recorded for other types of events)

***Applicable only to workspaces using RiskIQ's Managed Security Services (MSS) offering (else blank)

Metrics

*All times in export displayed as MM/DD/YYY hh:mm:ss AM/PM PST (UTC -8) 

Static Measurements

  • Created Date: Date/time event created
  • Updated Date: Date/time of the most recent update to the event recorded in the event history (ex. change in status, owner, priority, tag, or note added)
  • First Detected: Date/time of the first observation of the threat by RiskIQ (the system processing time between this and the Created Date when the event notification was generated is the Time to Detection)
  • Last Scanned: Date/time this threat was most recently observed/monitored by RiskIQ
  • Notice Count: Number of enforcement notices sent in the current enforcement ID associated to this event (number of times the recipients have been notified in relation to the events in that enforcement ID). Note: this count will continue to increase for a resolved event over time if other events with the same enforcement ID do not resolve at the same time (blank if no enforcement ID exists)
  • First Notice Date: Date of the original notice sent in the current enforcement ID associated to this event (blank if no enforcement ID exists)
  • Last Notice Date:  Date of the most recent notice sent in the current enforcement ID associated to this event (blank if no enforcement ID exists)

Derived Measurements

  • Event Uptime (minutes): First detected time of the event until now, or until last active scan if no longer active (total length of the time the event was active / has been active so far)
  • Time to Detection (minutes): Time between RiskIQ first observing a threat (First Detected) and generating an associated event/alert (Created Date of the event)
  • Time to Action (minutes): Time between event creation and the first update to the event history indicating it has been triaged / first action taken on the event (status change, tag added, etc.)
  • Time to Mitigation (minutes): Time between event creation and enforcement (blank if no enforcement ID exists; same as Time to Action if the first action taken on the event is enforcement, otherwise distinct times)
  • Time to Resolution (minutes): Time from event being enforced to resolving.
  • Time to Enforcement Resolution (minutes): Time from event being enforced to the enforcement ID resolving (same as Time to Resolution unless there are multiple events associated to the enforcement ID that resolved at different rates).
  • Enforcement Pending to Resolution/Closing (MSS customers only; minutes): Time from an enforcement being changed to the pending status (meaning it requires review from the customer and/or their legal team to determine if further steps should be taken) to the time of the enforcement resolving or being closed (subset of Time to Enforcement Resolution; blank if there is no enforcement ID, or enforcement ID was never pending)
  • Time to Blacklist Submission (Phish only; minutes): Time between event creation and confirmation or enforcement (submission to GSB and MS browser blacklists triggered by either of these actions; will be the same as Time to Action and/or Time to Mitigation if the first action taken on the event is to confirm or enforce it; blank if event not yet submitted or already blocked at time of creation)
  • Blacklist Submission Time to Block (Phish only; minutes): Time between submitting a URL to GSB and it appearing on their blacklist / becoming blocked for any users whose browsers use this blacklist; blank if event not yet blocked or already blocked at time of creation)
  • Total Unblocked Uptime (Phish only; minutes): Time from a phish event First Detected to it appearing on GSB's blacklist (Time to Detection + Time to Blacklist Submission + Blacklist Submission Time to Block; subset of Event Uptime)