Visibility Dashboards

  • Updated

    Ingestion Analytics

    With Resolution Intelligence's ingestion health dashboard, you can monitor the data ingested from sources - Microsoft Azure, Amazon Cloud trail, and Google Chronicle and quickly understand the type and amount of data we have.

    The following steps help you to visualize the Ingestion health of Chronicle data in Resolution Intelligence.

    1. From the Home screen, navigate to Visibility --> Ingestion Health
    2. In Ingestion Health, the following tabs are available.
      • Log Type Health - Health of data that is ingested from the log type
      • Log Source Health - Health of data that is ingested from the log source which is derived from log type
      • Usage Reports - Number of users monitored per each day

    Understanding the amount of data ingested

    Resolution Intelligence dashboards enable you to know the amount of data ingested into the Chronicle.

    In Log Type Health, the following insights are enabled:

    • The number of events distributed per log type
    • The percentage of throughput distribution per log type
    • The amount of space occupied per each log type at definite intervals of time
    • The status of events generated on each day

    The metrics displayed in the following chart give you details on 

    • Total Entry Count                   -  Total number of raw events ingested from source into Chronicle
    • Total Normalized Events        -  Total number of raw events normalized into UDM format
    • Total Parsing Error Count       -  Total number of events that are failed to meet the parsing criteria in Chronicle
    • Total Validation Error Count   -  Total number of events for which all mandatory UDM fields are not parsed. Refer to mandatory fields for each UDM event type
    • Total Errors                             -  Sum of Parsing errors and validation errors

    mceclip0.png

    In Log Source Health, the following insights are enabled :

    • The total number of events generated for each log source
    • The time at which the events are generated
    • The product and vendor name that an event belongs to

    Picture2.png

    In Usage Reports, the following insights are enabled:

    • The number of users logged in Resolution Intelligence Cloud for the first time and last seen
    • The time at which the logs are collected
    • The total number of detection rules applied on each log source

    Detection Coverage

    To view the detection coverage dashboard,

    • From the Home screen, navigate to Visibility --> Detection Coverage

    The following Detection Coverage heatmap enables you to know

    • The percentage of rules can be detected against the MITRE tactics & techniques matrix based on the data that you ingest into your Chronicle account.
    • The amount of quality data you have, helps to ingest sufficient data sources to enhance the rule detection against MITRE tactics & techniques matrix.

    The color gradient bar at the top right corner in the above figure indicates the coverage percentage of rules detection from MITRE matrix.

    Example:

    The dashboard shows a detection rule is mapped to the technique (Active Scanning) under the tactic (Reconnaissance) and the ingested data from log type matches the defined rule (only a single rule is defined) which means 100% of coverage detected. The number of rules may differ from tactic to tactic, technique to technique, and sub-technique to sub-technique.

    Click any tile shown in the detection coverage page to delve more details (type and number of rules available for detection, ID, permissions required, available data sources, and type of platforms) of that specific sub-technique. To know what rules are used for detection, click the digit left to Detection Rules available as shown in the following figure.

    Filtering Detection Coverage dashboard

    Resolution Intelligence has the capability to customize the detection coverage dashboard based on the log source type that you select while ingesting the data and the platform from which the data is ingested.

    By Log Source

    To view the dashboard by log source type,

    1. From the Detection Coverage screen, click Picture30.pngat the right of your dashboard. A filter window appears
    2. Select the LogSource (s) from the dropdown. For example, select DNS, DHCP, and EDR
    3. Click Apply

    Picture4.png

    By Platform

    To view the dashboard by platform,

    1. From the Detection Coverage screen, click Picture30.pngat the right of your dashboard. A filter window appears
    2. Select the Platform (s) from the dropdown. For example, select Azure AD, Containers, and Google Workspace
    3. Click Apply

    Note: You can filter the dashboard either by platform or by log source or both at a time.

    Picture5.png

    View by Threat Actors

    Detection Coverage dashboard can be customized according to the different threat actors by choosing one or more threat actors.

    To view the dashboard by Threat Actors,

    1. From the Detection Coverage screen, clickPicture31.png just above the dashboard
    2. Select One or More threat actors displayed in the window
    3. Click Apply

    Picture7.png

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.