Help
FortiSOAR Discussions
ranjeet
New Contributor III

Created on ‎12-04-2024 04:14 AM

Clarification Needed on SLA Response Time Calculation

Hi @Community,

I have a question about Alert SLAs.

The SLA times in the template are:

Ack time: 60 minutes
Response time: 60 minutes

Here’s what happened:

An alert was created, and after 45 minutes, the analyst marked it as "Investigating", which met the Ack SLA. Then, the 60-minute Response timer started. After another 50 minutes, the analyst marked the alert as "Closed".

However, the system shows the total response time as 1 hour 35 minutes (from when the alert was created to when it was closed). But we expected the response time to be only 50 minutes because alert was closed 10 minutes before the set response time. Now in this case based on the response SLA set (60 mins) the response time shown is 1 hour 35 minutes which does not sound correct. In the dashboard and the report when the response time is calculated it will not match the SLA set.


Can anyone explain why the system shows 1 hour 35 minutes instead of 50 minutes? What’s the logic behind this SLA process?

161
0 Kudos
2 REPLIES 2
akashj
New Contributor II

Created on ‎12-04-2024 06:33 AM

The Response time is calculated from the time the Alert is Created not from the time it is acknowledged.so in your case its 45 mins +50 min = 95 mins = 1hour 35 mins.

Akash J
Akash J
147
0 Kudos
schaudhari
Staff
Staff

Created on ‎12-04-2024 10:34 PM

Hi Ranjeet,
By default create date is considered while canculating the SLA times. You can change the setting using "Reset_SLA" Global variable.
If this Global variable is set to "true" then the response start and end time is recaclulated when the Alert/Incident is Acknowledged.
Example;
Consider Ack time is 10 mins and Response time is 20 Min

Case-1:
Alert create time = 5 Dec 2024 11:10 AM and Reset_SLA = false
then Ack due date = 5 Dec 2024 11:20 AM
response due date = 15 Dec 2024 11:40 AM
If Alert is acknowledged at 5 Dec 2024 11:15 AM
then response due date is set to 15 Dec 2024 11:40 AM


Case-2:
Alert create time = 5 Dec 2024 11:10 AM and Reset_SLA = true
then Ack due date = 5 Dec 2024 11:20 AM
response due date = 15 Dec 2024 11:40 AM
If Ack is done at 5 Dec 2024 11:15 AM
then response due date = 15 Dec 2024 11:35 AM

However to show the recalculated "Time Taken To Response" on Widget, we will have to modify the widget.

120
0 Kudos
Announcements

Welcome to your new FortiSOAR Community!

View More

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.