Skip to main content

Outcomes NavigatorOutcomes Navigator Guide

Table of Contents

Outcomes Navigator Coverage Calculation

Learn how Outcomes Navigator determines coverage levels for Exabeam features and applications, the MITRE Coverage Score, and the Use Case Coverage Score.

Outcomes Navigator calculates coverage for all Exabeam features and applications, the MITRE Coverage Score, and the Use Case Coverage Score at least once per day.

Outcomes Navigator calculates coverage using parsed fields. Your environment, features, and applications can address a given use case or MITRE ATT&CK® technique only if they're configured to receive data relevant to the use case or ATT&CK technique and that data is parsed. Therefore, Outcomes Navigator calculates coverage using parsed fields because a parsed field is data your environment has received and parsed.[13]

Coverage levels for most Exabeam features and applications, except Advanced Analytics rules, are determined by the percentage of all possible parsed fields relevant to a use case or ATT&CK technique that your environment actively parses. The higher the percentage, the higher the coverage level; the lower the percentage, the lower the coverage level.

Therefore, to determine coverage levels, Outcomes Navigator must have two variables: The fields your environment actively parses for each use case and ATT&CK technique and all possible parsed fields for each use case and ATT&CK technique.

To determine the fields your environment actively parses for each use case and ATT&CK technique, Outcomes Navigator finds the intersection between two data sets: all possible parsed fields relevant to each use case and ATT&CK technique and all fields your environment actively parses.

To determine all possible parsed fields relevant to each use case and ATT&CK technique, Outcomes Navigator maps all existing parsers to corresponding use cases and ATT&CK techniques.

To determine all actively parsed fields, Outcomes Navigator fetches a list of active parsers your environment has used in the past 30 days from Log Stream Parser Manager. By finding the intersection between all possible parsed fields for each use case and ATT&CK technique and all actively parsed fields, Outcomes Navigator determines the actively parsed fields for each use case and ATT&CK technique.

Given all possible parsed fields and all actively parsed fields for each use case and ATT&CK technique, Outcomes Navigator calculates:



[13] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.