- Get Started with Outcomes Navigator
- Use Outcomes Navigator with the MITRE ATT&CK® Framework
- Use Outcomes Navigator with the Threat Detection, Investigation, and Response (TDIR) Use Case Categories Framework
- Use Outcomes Navigator for Compliance
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- The Role of Parsed Fields in Coverage Calculation
- Prerequisites for Calculating Coverage
- Types of Coverage Scores
- Use Case Coverage Score
- MITRE Coverage Score
- Compliance Framework Coverage Score
- Control Coverage Score
- Advanced Analytics Rules Coverage Calculation
- Correlation Rules Coverage Calculation
- Dashboards Coverage Calculation
- Coverage Over Time Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Correlation Rules Coverage Calculation
Learn how Outcomes Navigator calculates Correlation Rules coverage for a given use case or MITRE ATT&CK® technique[17].
Correlation Rules coverage is a metric of how well your environment is configured so Correlation Rules can detect a given use case or technique. At a glance, you can summarize the strength of Correlation Rules detection without analyzing the numbers and details yourself.
To calculate Correlation Rules coverage for a use case or technique, Outcomes Navigator uses correlation rules that have all fields they require to trigger, also called a satisfied rule. Outcomes Navigator uses satisfied rules because a rule triggers only if it can evaluate all required fields; if the rule only evaluates some fields and not others, the rule doesn't trigger and, by definition, doesn't have coverage. A rule is considered satisfied for a given use case if it meets two conditions:
All required fields were actively parsed in the past 30 days
All required fields are relevant to the use case or ATT&CK technique
Your Correlation Rules coverage score for each use case or technique is the percentage of satisfied correlation rules out of all correlation rules.
Correlation rules declare which fields are required in their conditions. An internal service maps your default and custom correlation rules to use cases and ATT&CK techniques.
The percentage is calculated by:
where P is the percentage, SR is the number of satisfied rules, and ER is the total number of enabled correlation rules.
When calculating Correlation Rules coverage, Outcomes Navigator correctly considers 98 to 99 percent of all default and custom correlation rules. The remaining two to one percent of correlation rules, including rules whose rule expressions include session-end or sequence-end events, currently provide an approximate sense of coverage.
[17] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.