- Get Started with Outcomes Navigator
- Use Outcomes Navigator with the MITRE ATT&CK® Framework
- Use Outcomes Navigator with the Threat Detection, Investigation, and Response (TDIR) Use Case Categories Framework
- Use Outcomes Navigator for Compliance
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- The Role of Parsed Fields in Coverage Calculation
- Prerequisites for Calculating Coverage
- Types of Coverage Scores
- Use Case Coverage Score
- MITRE Coverage Score
- Compliance Framework Coverage Score
- Control Coverage Score
- Advanced Analytics Rules Coverage Calculation
- Correlation Rules Coverage Calculation
- Dashboards Coverage Calculation
- Coverage Over Time Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Outcomes Navigator Parser Calibration Tier Average Calculation
Learn how Outcomes Navigator determines the Parser Calibration Tier Average for each product.
Because a product has many related parses, to assign products a Parser Calibration Tier, Outcomes Navigator averages the Parser Calibration Tiers across parsers of a product.
The calculation process follows three steps:
1. Determine the Parser Calibration Tier for each parser of a product
For each parser of a given product, Outcomes Navigator determines how well the parser has extracted data that complies with CDI methodology for the last 24 hours. This is measured by the ratio of CDI fields the parser extracts from an event to the total number of CDI fields an event contains.
The ratio is calculated by:
where R is the ratio, EF is the number of CDI fields a related parser extracted from an event from the past 24 hours, and TF is the total number of CDI fields an event contains.
2. Find the average Parser Calibration Tier
Then, Outcomes Navigator averages these ratios. To calculate the average, Outcomes Navigator sums all ratios across parsers and divides it by the total number of parsers, excluding those parsers for which the ratio is zero.
The average is calculated by:
where A is the average, R is the ratio of extracted CDI fields to total CDI fields for a parser, and N is the total number of parsers, excluding those parsers for which the ratio is zero.
3. Assign a Parser Calibration Tier Average
According to the average ratio, Outcomes Navigator assigns the product a Parser Calibration Tier Average:
Tier 1 – The average ratio is 1.5 or below; the product's logs are parsed, events are built, and the events contain a large number of CDI fields.
Tier 2 – The average ratio is 1.6 to 2.5; the product's logs are parsed, events are built, and the events contain at least some CDI fields.
Tier 3 – The average ratio is 2.6 to 3.5; the product's logs are parsed but they do not meet the CDI-required criteria to build events.
Tier 4 – The average ratio is 3.6 or above; the product's logs aren't parsed but you can still use them in Search and Correlation Rules.