- Get Started with Outcomes Navigator
- Use Outcomes Navigator from a MITRE ATT&CK® Perspective
- Use Outcomes Navigator from a Threat Detection, Investigation, and Response (TDIR) Use Case Categories Perspective
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Advanced Analytics Rules Coverage Calculation
Learn how Outcomes Navigator calculates Advanced Analytics rules coverage for a given use case or MITRE ATT&CK® technique.[15]
[15] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.
Advanced Analytics rules coverage is a metric of how well your environment is configured so Advanced Analytics rules can detect a given use case or ATT&CK technique. At a glance, you can summarize the strength of Advanced Analytics rules detection without analyzing the numbers and details yourself.
To calculate Advanced Analytics rules coverage for a use case or ATT&CK technique, Outcomes Navigator uses rules that have all fields they require to trigger, also called a satisfied rule. Outcomes Navigator uses satisfied rules because a rule triggers only if it can evaluate all required fields; if the rule only evaluates some fields and not others, the rule doesn't trigger and, by definition, doesn't have coverage. A rule is considered satisfied for a given use case or ATT&CK technique if it meets two conditions:
All required fields were actively parsed in the past 30 days
All required fields are relevant to the use case or ATT&CK technique
Your Advanced Analytics rules coverage level for each use case is determined by the percentage of satisfied Advanced Analytics rules out of all Advanced Analytics rules.
Best – 75 to 100 percent of all Advanced Analytics rules that detect a given use case or ATT&CK technique are satisfied.
Better – 50 to 74 percent of all Advanced Analytics rules that detect a given use case or ATT&CK technique are satisfied.
Good – one to 49 percent of all Advanced Analytics rules that detect a given use case or ATT&CK technique are satisfied.
None – You don't have any satisfied rules for a given use case or ATT&CK technique.
Rules declare which fields are required in their attributes. An internal service maps your default and custom Advanced Analytics rules to use cases and ATT&CK techniques.
The percentage is calculated by:
where P is the percentage, SR is the number of satisfied rules, and ER is the total number of enabled Advanced Analytics rules.
Keep in mind that Advanced Analytics rules coverage doesn't indicate whether your rules are triggering. Even if Advanced Analytics rules are satisfied and have all fields they require to trigger, those rules may still not trigger because event builder conditions aren't met, models aren't converging, or rule dependencies aren't met.
When calculating Advanced Analytics rules coverage, Outcomes Navigator correctly considers 98 to 99 percent of all default and custom Advanced Analytics rules. The remaining two to one percent of Advanced Analytics rules, including rules whose rule expressions include session-end or sequence-end events, currently provide an approximate sense of coverage.
[15] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.