Exercise 08: SOC metrics and triage quality

Exercise learning objectives

Align incident classification and severity, define MTTR, MTTD, and first-action SLAs.
Create watchlists and custom detections; schedule daily hunting reviews.

Estimated time: 40 minutes

CISO Overview - Scenario and goals

Zava Oil & Resources wants to improve SOC efficiency by defining consistent incident classification and severity, and by measuring MTTD (Mean Time to Detect) and MTTR (Mean Time to Remediate) using timestamps already available in the unified Defender XDR portal.

The team must also create watchlists for high-value assets, add custom detections using KQL, and schedule daily hunting reviews.

01: Define incident classification, severity, and SLA metrics
02: Calculate and review MTTD, MTTR, and first-action metrics
03: Create and maintain watchlists
04: Create custom detection rules
05: Daily hunting review (simulated dataset)

Exercise 08: SOC metrics and triage quality

Exercise learning objectives

CISO Overview - Scenario and goals

Table of contents