- Get Started with Outcomes Navigator
- Use Outcomes Navigator with the MITRE ATT&CK® Framework
- Use Outcomes Navigator with the Threat Detection, Investigation, and Response (TDIR) Use Case Categories Framework
- Use Outcomes Navigator for Compliance
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- The Role of Parsed Fields in Coverage Calculation
- Prerequisites for Calculating Coverage
- Types of Coverage Scores
- Use Case Coverage Score
- MITRE Coverage Score
- Compliance Framework Coverage Score
- Control Coverage Score
- Advanced Analytics Rules Coverage Calculation
- Correlation Rules Coverage Calculation
- Dashboards Coverage Calculation
- Coverage Over Time Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Outcomes Navigator Coverage Calculation
Learn how Outcomes Navigator calculates coverage scores for Exabeam features and applications and the frameworks with which you use Outcomes Navigator.
To help you understand how well your environment is configured detect threats or meet compliance requirements, Outcomes Navigator calculates coverage scores at least once per day.
To calculate coverage scores, Outcomes Navigator uses parsed fields to find the prerequisite variables needed to calculate coverage. With these variables, Outcomes Navigator calculates the various coverage scores you see throughout Outcomes Navigator.
The Role of Parsed Fields in Coverage Calculation
Outcomes Navigator calculates coverage using parsed fields.
Your environment, features, and applications can address a given use case, MITRE ATT&CK® technique, or compliance control only if they're configured to receive data relevant to the use case, ATT&CK technique, or compliance control and that data is parsed. If the data isn't there or isn't parsed, it can't be used.[14]
Prerequisites for Calculating Coverage
Coverage scores for most Exabeam features and applications, except Advanced Analytics rules, are the percentage of all possible parsed fields relevant that your environment actively parses. The higher the percentage, the higher the coverage; the lower the percentage, the lower the coverage.
Therefore, to determine coverage, Outcomes Navigator must have two variables:
The fields your environment actively parses for each use case, ATT&CK technique, or compliance control
All possible parsed fields for each use case, ATT&CK technique, or compliance control
Determine Actively Parsed Fields
To determine the fields your environment actively parses for each use case, ATT&CK technique, or compliance control, Outcomes Navigator finds the intersection between two data sets:
All possible parsed fields relevant to each use case, ATT&CK technique, or compliance control
All fields your environment actively parses
To find this intersection, Outcomes Navigator fetches a list of active parsers your environment has used in the past 30 days from Log Stream Parser Manager.
Determine Possible Parsed Fields
To determine all possible parsed fields relevant to each use case and ATT&CK technique, Outcomes Navigator maps all existing parsers to corresponding use cases, ATT&CK techniques, and compliance controls.
Types of Coverage Scores
Outcomes Navigator uses the two prerequisites variables to calculate:
[14] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.