Skip to main content

Hi,

I'm pretty new to SecOps Siem and I'd like to create a Dashboard correlating the following fields together:

  • Alerts,
  • Cases,
  • Severity/Priority,
  • User/Analyst
  • Alert Creation Time
  • Alert Assign Time
  • Alert Closing Time

Using booth SIEM Dashboards and SOAR Reports, I was able in SOAR Reports under Advanced Reports to achive some sort of results.

Creating a dashboard (SOAR Reports > Advanced Reports >Managed Detection Response ) with the following fields:

  • Identifier, Alert Creation Date Time Date, Case ID, Case Priority, 

I get a certain amount of IDENTIFIERS which are related to the amount of ALERTs in a given period.

Instead using Managed Detection Response I tried to use Alert And Entities  with the following fields:

  • Alert Identifier, Analyst, Case Close Reason,,Case ID,Case Priority, Time • Creation Time Date, Root Cause, Status, Title

Then I tried something simpler:

  • Managed Detection Response:  just field Alert Identifier with the function count distinct
  • Alert And Entities: just field Alert Identifier with the function count distinct

The time frame field is:

  • Alert and Entities: Creation Time Time

  • Managed Detection Response: Alert Creation Date Time Time

Comparing the total amount in booth dashboard I found 2 different amounts for the same given period.

Do you have any idea why?

As said at the beginning the goal is to create a dashboard with the fields:

  • Alerts,
  • Cases,
  • Severity/Priority,
  • User/Analyst
  • Alert Creation Time
  • Alert Assign Time
  • Alert Closing Time

Thanks.

 

Hi @D0m3st1C 


Discrepancies between SIEM dashboard and SOAR report results, even with the same fields, can stem from a few factors:



  • Data Sources & Ingestion: SIEM and SOAR might pull data from slightly different sources or ingest it in different ways, leading to variations in the data within those fields.

  • Data Transformation & Parsing: The way data is processed and structured before being displayed can differ, causing inconsistencies.

  • Data Filtering & Aggregation: Different filters or aggregation methods applied in dashboards and reports can show different subsets of data.

  • Data Refresh Rates: Dashboards and reports might update at different intervals, leading to temporary discrepancies (e.g., SOAR dashboards refresh every 5 minutes).

  • Field Definitions: While field names may match, the underlying definitions or data types could vary.

  • Connector Issues: Problems with the connector transferring data between SIEM and SOAR can also cause differences.


To troubleshoot, I'd recommend:



  • Reviewing data sources, ingestion methods, parsing rules, filtering, and refresh rates for both systems.

  • Ensuring field definitions are consistent.

  • Checking the health and configuration of the data transfer connector.


There are a few other community posts that cover similar points, which may provide further insight.



We hope this helps!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.