- Get Started with Outcomes Navigator
- Use Outcomes Navigator from a MITRE ATT&CK® Perspective
- Use Outcomes Navigator from a Threat Detection, Investigation, and Response (TDIR) Use Case Categories Perspective
- View Recommendations for Improving Your Configuration
- Share Information in Outcomes Navigator
- Outcomes Navigator Coverage Calculation
- Outcomes Navigator Parser Calibration Tier Average Calculation
View Recommendations for Improving Your Configuration
After you assess the current configuration of your environment, follow recommended steps to fill the gaps.
Under the View Use Case Details or View Outcomes by MITRE ATT&CK® Tactics and Techniques > Recommendations tab, view suggestions on improving how well your environment protects against a given use case or MITRE ATT&CK® technique. Review whether logs are parsed correctly and what products you should configure next. You're also reminded to ensure critical events aren't filtered.[7]
To navigate to the Recommendations tab, in Explore Exabeam Content Through These Portals, hover over a use case or ATT&CK technique, click See Details, then select the Recommendations tab.
Ensure logs are parsed correctly
Under Products should strive for Parser Calibration Tier Average 1, view the products you configured that have low Parser Calibration Tier Averages in tiers two, three, or four.
Your goals and how you use Exabeam determine which Parser Calibration Tier Average you need. For example, if you only want to search for raw logs, the logs don't need to be parsed and a lower Parser Calibration Tier Average is sufficient. If you want rules to work properly and ensure they train on the correct data, Outcomes Navigator suggests that your products have average Parser Calibration Tier Averages one or two.
To improve your Parser Calibration Tier Average for a product:
Next to the product, click the More menu
, then select Improve Parsing. You're directed to Log Stream Parser Manager. A filter is applied so you only view parsers that correspond to your product. To review the fields a parser attempts to extract, to verify that the most recently extracted fields and values are correct, or to view updates and enablements associated with a parser, view parser details.Consult the Common Information Model Library to determine what additional fields you require.
Use Live Tail to validate that the parser is extracting the field values necessary to satisfy the CDI methodology from the raw log.
Use Live Tail to examine the event builder definition and ensure it's configured to build an event correctly.
If, after investigating a product, you decide not to improve its Parser Calibration Tier Average, you can change its action status and mark it as reviewed.
Configure products in more product categories
Under Add products from these categories, view the top five product categories that could most improve your configuration and for which you haven't configured any products.
In Outcomes Navigator's approach, you improve your protection against a use case most significantly when you configure at least one product in each product category. Different products provide different data. If you configure at least one product in each product category, you provide Exabeam features and applications with a broad data set to work with. A product in one product category may also fall under other product categories, so when you configure just one additional product, you may bolster your protection against multiple use cases.
Ensure critical events aren't filtered
Under Ensure events are not filtered, you're reminded to verify that the events you need are being created, contain the correct data, and are being processed correctly.
Logs and events may get filtered out as they're ingested because of three main problems: the source might not send logs, the logs aren't reaching Exabeam, and the events are created but not reaching Exabeam threat detection capabilities. To ensure logs and events aren't filtered, verify whether these problems affect your environment.
Your product isn't sending logs
If Exabeam isn't receiving logs, it isn't getting the data it needs to properly detect use cases. To verify that your product sends logs:
Ensure the necessary components are licensed and enabled on your devices.
Ensure the incidents that generate logs are actually happening and are logged.
Ensure your device is turned on.
Verify your device settings are configured to send logs.
Logs aren't reaching Exabeam
Even if your products send logs, they might not reach Exabeam. To verify that logs reach Exabeam:
Ensure your SIEM is forwarding all fields to Exabeam.
Ensure the rules on your firewall aren't blocking events. Your firewall could be blocking events if you haven't received alerts for four to six hours.
Ensure your cloud agents, like Amazon AWS, have the necessary permissions or roles to access all events.
Verify Cloud Connectors are working correctly and troubleshoot error codes using the vendor's API documentation. If there is an issue with API permissions, contact Exabeam Customer Success.
Events aren't reaching threat detection capabilities
Exabeam may receive logs and create events, but the events may not reach Exabeam threat detection capabilities. To ensure events reach threat detection capabilities:
Use Live Tail to ensure Log Stream and event builders are correctly extracting key fields from logs.
Ensure Event Selection is filtering the correct events.
[7] MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation ("MITRE"). Exabeam is not affiliated with or sponsored or endorsed by MITRE. Nothing herein is a representation of the views or opinions of MITRE or its personnel.