I would like to see if there is a way to get a report of the Triggered Alarms dashboard view. I cannot generate a report based on this view, and when I attempt to create a report I only get event filters, not actual ESM type categories or data fields.
alarm name is whatever the various alarms were named. Summary is "field match alarm triggered", "Watchlist updated" , "cyberthreat backtrace", etc.
So, essentially, there is no way to keep track of which technicians are acknowledging the most alarms then? No metrics or reporting on Read Only Views like Alarm acknowledgement activity, Device Status, Case Management, etc... ????!!!
Do you think it would be sufficient if an internal event was generated when the Reviewed button was clicked? I imagine it would include time, analyst and event which could be queried or included in reports.
Could be a feasible work around, sure. This would entail changing process, as for now it is not standard practice to mark an event as reviewed. Also, this would make more work, as it forces the analyst to take a 2nd step. Instead of just double clicking the alarm and going to Show Details, I would now have to have them filter on Sig ID and some other aggregate data set to pull the event up in the ESM events dashboard before being able to mark the EVENT as reviewed. Meanwhile, the alarm could continue to sit there unacknowledged anyway.