Outcomes NavigatorOutcomes Navigator Guide

Learn how Outcomes Navigator calculates Correlation Rules coverage for a given use case or MITRE ATT&CK^® technique^[16].

Correlation Rules coverage is a metric of how well your environment is configured so Correlation Rules can detect a given use case or technique. At a glance, you can summarize the strength of Correlation Rules detection without analyzing the numbers and details yourself.

To calculate Correlation Rules coverage for a use case or technique, Outcomes Navigator uses correlation rules that have all fields they require to trigger, also called a satisfied rule. Outcomes Navigator uses satisfied rules because a rule triggers only if it can evaluate all required fields; if the rule only evaluates some fields and not others, the rule doesn't trigger and, by definition, doesn't have coverage. A rule is considered satisfied for a given use case if it meets two conditions:

Your Correlation Rules coverage score for each use case or technique is the percentage of satisfied correlation rules out of all correlation rules.

Correlation rules declare which fields are required in their conditions. An internal service maps your default and custom correlation rules to use cases and ATT&CK techniques.

The percentage is calculated by:

where P is the percentage, SR is the number of satisfied rules, and ER is the total number of enabled correlation rules.

When calculating Correlation Rules coverage, Outcomes Navigator correctly considers 98 to 99 percent of all default and custom correlation rules. The remaining two to one percent of correlation rules, including rules whose rule expressions include session-end or sequence-end events, currently provide an approximate sense of coverage.