- Get Started with Outcomes Navigator
- Use Outcomes Navigator from a MITRE ATT&CK® Perspective
- Use Outcomes Navigator from a Threat Detection, Investigation, and Response (TDIR) Use Case Categories Perspective
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
MITRE Coverage Score
Quickly understand the efficacy of your configuration in protecting against MITRE ATT&CK® techniques.[14].
The MITRE Coverage Score is a metric of how well your environment as a whole is configured to protect against ATT&CK techniques. At a glance, you can summarize the strength of your protection without analyzing the numbers and details yourself.
THE MITRE Coverage Score may describe all techniques or a specific technique.
Overall MITRE ATT&CK Coverage Score
The overall MITRE ATT&CK Coverage Score is a metric of how well your environment is configured to protect against all techniques across the board.
The score is determined by the average MITRE Coverage Score across all unhidden techniques:
Best – The average MITRE Coverage Score across all unhidden techniques is 75 to 100.
Better – The average MITRE Coverage Score across all unhidden techniques is 50 to 74.
Good – The average MITRE Coverage Score across all unhidden techniques is one to 49.
None – Your environment wasn't able to calculate an overall MITRE ATT&CK Coverage Score.
The average is calculated by:
where A is the average, S is the sum of all MITRE Coverage Scores across all unhidden techniques, and N is the total number of all unhidden techniques.
The overall MITRE Coverage Score is calculated once per day.
You can view your overall MITRE ATT&CK Coverage Score, when it was last calculated, and a chart depicting trends in the score over a one-month, three-month, or six-month period in a summary of your ATT&CK coverage.
If the chart depicts the overall MITRE ATT&CK Coverage Score over a one-month period, each bar represents the average overall MITRE ATT&CK Coverage Score for a given a week. This average is calculated by:
where A is the average MITRE ATT&CK Coverage Score for a given week, S is the sum of daily overall MITRE ATT&CK Coverage Scores calculated in the week, and N is the number of times the daily overall MITRE ATT&CK Coverage has been calculated in a given week.
If the chart depicts the overall MITRE ATT&CK Coverage Score over a three-month or six-month period, each bar represents the average overall MITRE ATT&CK Coverage Score for a given month. This average is calculated by:
where A is the average MITRE ATT&CK Coverage Score for a given month, S is the sum of weekly overall MITRE ATT&CK Coverage Scores calculated in the month, and N is the number of times the weekly overall MITRE ATT&CK Coverage Score has been calculated in a given month.
MITRE Coverage Score for a Specific ATT&CK Technique
The MITRE Coverage Score for a specific technique is a metric of how well your environment as a whole is configured to protect against a specific technique.
The MITRE Coverage Score aggregates the coverage levels of all Exabeam applications or features Outcomes Navigator assesses, including Advanced Analytics rules, correlation rules, analytics rules, and Dashboards. Your score for a given ATT&CK technique is determined by the percentage of possible parsed fields across all Exabeam applications or features that your environment actively parses:
Best – Your environment actively parses 75 to 100 percent of all possible parsed fields relevant to the ATT&CK technique.
Better – Your environment actively parses 50 to 74 percent of all possible parsed fields relevant to the ATT&CK technique.
Good – Your environment actively parses one to 49 percent of all possible fields relevant to the ATT&CK technique.
None – Your environment doesn't parse any fields relevant to the ATT&CK technique.
To determine the fields your environment actively parses across all Exabeam applications or features for a given use case, Outcomes Navigator takes the union of all possible parsed fields across Exabeam applications or features and compares it to the fields your environment actively parses for the ATT&CK technique.
The percentage is calculated by:
where P is the percentage, A is the number of fields your environment actively parses across all Exabeam applications or features for the ATT&CK technique, and U is the number of fields in the union of all possible parsed fields across Exabeam applications or features for the ATT&CK technique.
Since the MITRE Coverage Score is based on the amount and quality of data, the best way to improve your score is to configure a wider variety of relevant products and ensure the values in the logs from those products are fully extracted. Follow recommendations to improve your MITRE Coverage Score directly in Outcomes Navigator. You can view recommendations only if you have a license that includes Advanced Analytics.
[14] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.