Mission Control: Improving Efficiency with the Analyst Queue

This article is a part of a series describing key features of the Phantom Security Automation and Orchestration Platform and how they work to improve the analyst experience.

In this specific installment of the series, we will talk about the Analyst Queue.

 

analyst-queue-blog-figure-2.png
The Phantom 3.0 Platform’s Analyst Queue enables efficient triage of security events

 

While the Analyst Queue view is not explicitly part of the Mission Control interface, it is closely related in that analysts spend a lot of their time in this area of the platform. Therefore, any efficiencies we can provide to better manage work queues have a positive effect on overall Mean Time To Resolution (MTTR).  As mentioned in previous installments of this series, reducing MTTR for analysts and SOCs is a core goal of the Phantom 3.0 release.  The new Analyst Queue area in 3.0 significantly reduces the time required for analysts to triage their own queue. Moreover, it also reduces the time required for managers to track and triage the team queue.

 

analyst-queue-blog-figure-1
Accessing the Analyst Queue

 

In Phantom 3.0, the Analyst Queue is accessible through the Sources option in the main menu.  The key enhancement to this queue for our 3.0 release is that analysts now have the ability to fully customize the view by using filters and sorting on each column.  Analysts can also select which columns are present in the table, including custom fields and tags used in security events and cases.

 

analyst-queue-blog-figure-3.png
Quickly Customize the Analyst Queue to Match Personal Preferences

 

An important column to highlight is the Label column. Filters can now be applied to this column. By applying no filter, the analyst can view all security events and cases across all labels (assuming the user has appropriate permissions). With filtering, the user can select one or many labels to view simultaneously, then sort by adjacent columns such as severity, ownership, sensitivity, and others.  Additional filters based on those columns or others may also be applied to further narrow the queue.

 

analyst-queue-blog-figure-4.png
Choosing One or More Labels Enables Broad or Narrow Event Queue Views

 

In addition to the table view, the platform also generates summary metrics associated with displayed events at the top of the page.  These metrics update based on the filters applied to the view.  The metrics are also interactive in that they can be applied as a filter.  The metrics are clickable, and when they are selected the appropriate filter is applied.  For example, the values for Severity include high, medium, and low.  If low is clicked, a filter for all low-severity events is applied to the current view.

 

analyst-queue-blog-figure-5.png
Easily Filter Queue Items Using the Summary Metrics at the Top of the Page

 

The Analyst Queue layout and flexible customization options is a major improvement from previous versions of the queue from a usability perspective. These enhancements are all driven by the goal to reduce MTTR for the Analyst in any way possible within the platform. Effective workload triage, where the most time-sensitive,  highest-severity, and/or mission-critical events can rise to the top of the queue is a key preliminary step to reducing MTTR.

If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.

Other articles in this series can be found here.