Visibility Dashboards

  • Updated
In this article:

    Ingestion Analytics

    With Resolution Intelligence's ingestion health dashboard, you can monitor the data ingested from sources - Microsoft Azure, Amazon Cloud trail, and Google Chronicle and quickly understand the type and amount of data we have.

    The following steps help you how to visualize Ingestion health of Chronicle data in Resolution Intelligence.

    1. From the Home screen, navigate to Visibility --> Ingestion Health
    2. In Ingestion health, the following tabs are available.
      • Log Type Health - Health of data that is ingested from the log type
      • Log Source Health - Health of data that is ingested from the log source which is derived from log type
      • Usage Reports - Number of users monitored per each day

    Understanding the amount of ingested

    Resolution Intelligence dashboards enable you know the amount of data ingested into Chronicle.

    In Log Type Health, the following insights are enabled:

    • The number of events distributed per log type
    • The percentage of throughput distribution per log type
    • The amount of space occupied per each log type at definite intervals of time
    • The status of events generated on each day

    The metrics displayed in the following chart gives you details on 

    • Total Entry Count                   -  Total number of raw events ingested from source into Chronicle
    • Total Normalized Events        -  Total number of raw events normalized into UDM format
    • Total Parsing Error Count       -  Total number events that are failed to meet the parsing criteria in Chronicle
    • Total Validation Error Count   -  Total number of events for which all mandatory UDM fields are not                                                                                               parsed. Refer mandatory fields for each UDM event type
    • Total Errors                             -  Sum of Parsing errors and validation errors

    mceclip0.png

    In Log Source Health, the following insights are enabled :

    • The total number of events generated for each log source
    • The time at which the events are generated
    • The product and vendor name that an event belongs to

    Picture2.png

    In Usage Reports, the following insights are enabled:

    • The number of users logged in Resolution Intelligence Cloud for the first time and last seen
    • The time at which the logs are collected
    • The total number of detection rules applied on each log source

    Detection Coverage

    To view detection coverage dashboard,

    • From the Home screen, navigate to Visibility --> Detection Coverage

    The following Detection Coverage heatmap enables you to know

    • The percentage of rules can be detected against MITRE tactics & techniques matrix based on the data that you ingest into your Chronicle account.
    • The amount of quality data that you have currently which in turn helps you to ingest sufficient data sources to enhance the rule detection against MITRE tactics & techniques matrix

    Picture6.png

    Picture25.pngGray : 1-25%           Picture26.pngLight Pink: 26-50%   Picture27.pngLight Violet: 51-75%    Picture28.pngMild Violet: 76-99%  

    Picture29.pngDark Violet: 100%

    For example,

    The dashboard shows a detection rule is mapped to the technique (Active Scanning) under the tactic (Reconnaissance) and the ingested data from log type matches the defined rule that means the 100% of coverage detected.

    Picture3.png
    Filtering Detection Coverage dashboard

    Resolution Intelligence has the capability to customize the detection coverage dashboard based on the log source type that you select while ingesting the data and the platform from which the data is ingested.

    By Log Source

    To view the dashboard by log source type,

    1. From the Detection Coverage screen, click Picture30.pngat the right of your dashboard. A filter window appears
    2. Select the LogSource (s) from the dropdown. For example, select DNS, DHCP, and EDR
    3. Click Apply

    Picture4.png

    By Platform

    To view the dashboard by platform,

    1. From the Detection Coverage screen, click Picture30.pngat the right of your dashboard. A filter window appears
    2. Select the Platform (s) from the dropdown. For example, select Azure AD, Containers, and Google Workspace
    3. Click Apply

    Note: You can filter the dashboard either by platform or by log source or both at a time.

    Picture5.png

    View by Threat Actors

    Detection Coverage dashboard can be customized according to the different threat actors by choosing one or more threat actors.

    To view the dashboard by Threat Actors,

    1. From the Detection Coverage screen, clickPicture31.png just above the dashboard
    2. Select One or More threat actors displayed in the window
    3. Click Apply

    Picture7.png

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.