- Get Started with Outcomes Navigator
- Use Outcomes Navigator from a MITRE ATT&CK® Perspective
- Use Outcomes Navigator from a Threat Detection, Investigation, and Response (TDIR) Use Case Categories Perspective
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
Outcomes Navigator Parser Calibration Tier Average Calculation
Learn how Outcomes Navigator determines the Parser Calibration Tier Average for each product.
Because a product has many related parses, to assign products a Parser Calibration tier, Outcomes Navigator averages the Parser Calibration tiers across parsers for a given product.
First, for each parser of a given product, Outcomes Navigator determines how well the parser has extracted data that complies with CDI methodology for the last 24 hours. This is measured by the ratio of CDI fields the parser extracts from an event to the total number of CDI fields an event contains. Mathematically it is calculated by:
where R is the ratio, EF is the number of CDI fields a related parser extracted from an event from the past 24 hours, and TF is the total number of CDI fields an event contains.
Then, Outcomes Navigator averages these ratios. To calculate the average, Outcomes Navigator sums all ratios across parsers and divides it by the total number of parsers, excluding those parsers for which the ratio is zero. This is calculated by:
where A is the average, R is the ratio of extracted CDI fields to total CDI fields for a parser, and N is the total number of parsers, excluding those parsers for which the ratio is zero.
According to the average ratio, Outcomes Navigator assigns the product a Parser Calibration Tier Average:
Tier 1 – The average ratio is 1.5 or below; the product's logs are parsed, events are built, and the events contain a large number of CDI fields.
Tier 2 – The average ratio is 1.6 to 2.5; the product's logs are parsed, events are built, and the events contain at least some CDI fields.
Tier 3 – The average ratio is 2.6 to 3.5; the product's logs are parsed but they do not meet the CDI-required criteria to build events.
Tier 4 – The average ratio is 3.6 or above; the product's logs aren't parsed but you can still use them in Search and Correlation Rules.