SIRP Usage Analysis & Security Workflow Optimization

SIRP Usage Analysis

Security Incident Response Platform — Adoption, Metrics & Optimization

Management Review | Q1 2026

SIRP Utilization by Function

Current platform adoption across active security workflows

* QRadar: ~40% automatic ingestion, 60% manual handling

Blocking IOCs

(FMC, WSA, Defender, EOP)

#00FFFF

95%

CTM360 Incidents

(ingestion, comment, takedown, closure)

#00FFFF

90%

QRadar Alerts

(40% auto / 60% manual)

#FFD700

40%

Threat Intelligence

(malware advisories auto)

#FFD700

40%

CTM360 Malware Logs

(ingestion only)

#FF8C00

30%

Microsoft Defender

(ingestion & status limited)

#FF8C00

20%

Reported Phishing Emails

(ingestion only)

#FF3333

10%

Phishing Playbook

(testing in progress)

#FF3333

0%

Quarantined Emails

(workflow not finalized)

#FF3333

0%

MS Defender Unknown Alerts

(under review)

#8C9BAB

Under Review

Pending Tasks & Open Issues

Items requiring resolution or follow-up

🔶 Pending Tasks

Phishing analysis reports to be shared via email with unique ID/subject — no timeline set

Cannot add comments or change closure status on Defender Unknown alerts or alerts linked to an incident

Quarantine Email Workflow details — query sent to Ali Murtaza (Rewterz), awaiting response

Phishing playbook created for testing — blocking action not yet enabled

SIRP ticket special character issue

WSA URL pattern finalization pending

CISCO Duo and NDR integration with SIRP — not yet completed

AnyRun file testing issue with special character filenames via SIRP

Email body addresses not being ingested into SIRP as artifacts

CTM360 Malware Logs: inconsistent timestamps; commenting, takedown & closure blocked due to missing API support

🚫 Not Provisioned / Unsupported

SARA AI Implementation — not supported by current solution

MTTA / MTTH / MTTR Dashboards — not supported

SLA Case Management — not supported

Bulk Comment Functionality — not supported

Items in the 'Not Provisioned' column require platform upgrade or vendor roadmap alignment.

Adoption Patterns & Key Observations

What the data tells us about current SIRP usage

High Performing

IOC Blocking at 95% is the strongest use case. CTM360 incident lifecycle (90%+) is near-fully automated. These workflows are production-ready and delivering measurable value.

Partially Adopted

QRadar (40%) and Threat Intelligence (40%) show partial automation. Manual intervention still required for 60% of QRadar alerts. CTM360 Malware Logs limited to ingestion only (30%). Microsoft Defender integration remains at early stage (20%).

Low / No Adoption

Phishing pipeline (reported emails 10%, playbook 0%) and Quarantine Email workflow (0%) are not yet operational. Four key capabilities — SARA AI, MTTA/MTTR dashboards, SLA Case Management, Bulk Comments — are unsupported by current platform version.

2 / 10

Workflows Fully Adopted

4 / 10

Partially Adopted

4 / 10

Minimal or Zero Adoption

Recommended Actions

Strategic priorities to improve adoption, efficiency & measurable outcomes over the next 6–12 months

PHASE 1

Immediate (0–2 months)

Finalize Quarantine Email Workflow with Rewterz (Ali Murtaza)

Resolve special character issues in SIRP tickets and AnyRun file testing

Enable blocking action on Phishing Playbook and move to production

Fix email body artifact ingestion gap

PHASE 2

Short-Term (2–6 months)

Increase QRadar alert automation from 40% to 70%+ by refining rules

Complete CISCO Duo and NDR integrations

Finalize WSA URL pattern and expand Defender integration beyond ingestion

Establish clear SLA tracking mechanism (workaround until platform supports it natively)

PHASE 3

Strategic (6–12 months)

Engage SIRP vendor on roadmap for: SARA AI, MTTA/MTTR dashboards, SLA Case Management, Bulk Comments

Drive Phishing pipeline utilization to 60%+ end-to-end

Target 70%+ overall SIRP utilization across all active workflows

Establish monthly SIRP utilization KPI review for management

SIRP Optimization Roadmap | Security Operations