- Get Started with Outcomes Navigator
- Use Outcomes Navigator from a MITRE ATT&CK® Perspective
- Use Outcomes Navigator from a Threat Detection, Investigation, and Response (TDIR) Use Case Categories Perspective
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Correlation Rules Coverage Calculation
Learn how Outcomes Navigator calculates Correlation Rules coverage for a given use case or MITRE ATT&CK® technique[16].
Correlation Rules coverage is a metric of how well your environment is configured so Correlation Rules can detect a given use case or technique. At a glance, you can summarize the strength of Correlation Rules detection without analyzing the numbers and details yourself.
To calculate Correlation Rules coverage for a use case or technique, Outcomes Navigator uses correlation rules that have all fields they require to trigger, also called a satisfied rule. Outcomes Navigator uses satisfied rules because a rule triggers only if it can evaluate all required fields; if the rule only evaluates some fields and not others, the rule doesn't trigger and, by definition, doesn't have coverage. A rule is considered satisfied for a given use case if it meets two conditions:
All required fields were actively parsed in the past 30 days
All required fields are relevant to the use case or ATT&CK technique
Your Correlation Rules coverage score for each use case or technique is the percentage of satisfied correlation rules out of all correlation rules.
Correlation rules declare which fields are required in their conditions. An internal service maps your default and custom correlation rules to use cases and ATT&CK techniques.
The percentage is calculated by:
where P is the percentage, SR is the number of satisfied rules, and ER is the total number of enabled correlation rules.
When calculating Correlation Rules coverage, Outcomes Navigator correctly considers 98 to 99 percent of all default and custom correlation rules. The remaining two to one percent of correlation rules, including rules whose rule expressions include session-end or sequence-end events, currently provide an approximate sense of coverage.
[16] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.