Comprehensive and Detailed 150 to 250 words of Explanation From Exact Extract Google Security Operations Engineer documents:
Google Security Operations (SecOps) SOAR is designed to natively measure and report on key SOC performance metrics, including MTTR. This calculation is automatically derived from playbook case stages.
As a case is ingested and processed by a SOAR playbook, it moves through distinct, customizable stages (e.g., "Triage," "Investigation," "Remediation," "Closed"). The SOAR platform automatically records a timestamp for each of these stage transitions. The time deltas between these stages (e.g., the time from when a case entered "Triage" to when it entered "Remediation") are the raw data used to calculate MTTR and other KPIs.
This data is then aggregated and visualized in the built-in SecOps SOAR reporting and dashboarding features. This is the standard, out-of-the-box method for capturing these metrics. Option C describes a manual, redundant process of what case stages do automatically. Option D describes where the data might be viewed (Looker), but Option B describes the underlying mechanism for how the MTTR data is captured in the first place, which is the core of the question.
(Reference: Google Cloud documentation, "Google SecOps SOAR overview"; "Manage playbooks"; "Get insights from dashboards and reports")
