Skip to main content Link Menu Expand (external link) Document Search Copy Copied
TechWorkshop L300 XDR SOC Operations

Task 02: Calculate and review MTTD, MTTR, and first-action metrics

Security Architecture Team

  1. Open the incident CSV you receive from the team to confirm these columns exist:

    • Incident ID
    • Severity
    • First activity time
    • Creation time
    • First action time (analyst note)
    • Last update time (proxy for resolution)

  2. Compute metrics:

    • MTTD = Created − First activity
    • First-Action = First action − Created
    • MTTR = Last update − First activity

  3. Filter by Severity and calculate average, median, and 90th percentile.

  4. Build an Excel or Power BI dashboard showing SLA compliance and outliers.

  5. Investigate incidents with breached SLAs.

Security Engineering and Administration

Informational for what the Engineering team could do at this point.

  1. Schedule a daily export job or perform a manual CSV download.

  2. Standardize timestamps to UTC or local consistently.

  3. Confirm Last update time populates correctly on status changes.

  4. Deliver a monthly summary to the Architecture team.

SOC Analyst

  1. Export your assigned incidents weekly.

  2. Log your first-action and status changes.

  3. Note any delays and root causes. For example, “Awaiting business approval.”

  4. Present individual SLA compliance in team review.