This article describes ingestion health and detection coverage dashboards, including log source, log type and usage reports, and the percentage of rules detected against MITRE matrix.
Ingestion Analytics
With Resolution Intelligence Cloud's ingestion health dashboard, you can monitor the data ingested from sources - Microsoft Azure, Amazon Cloud Trail, and Google Chronicle and quickly understand the type and amount of data we have.
The following steps help you visualize the ingestion health of Chronicle data in the Resolution Intelligence Cloud.
- From the Home screen, navigate to Visibility --> Ingestion Health
- In Ingestion Health, the following tabs are available:
- Log Type Health - Health of data that is ingested from the log type
- Log Source Health - Health of data that is ingested from the log source, which is derived from log type
- Usage Reports - Number of users monitored per day
Understanding the amount of data ingested
Resolution Intelligence dashboards enable you to know the amount of data ingested into the Chronicle.
In Log Type Health, the following insights are enabled:
- The number of events distributed per log type
- The percentage of throughput distribution per log type
- The amount of space occupied per each log type at definite intervals of time
- The status of events generated on each day
The metrics displayed in the following chart give you details on
- Total Entry Count - Total number of raw events ingested from source into Chronicle
- Total Normalized Events - Total number of raw events normalized into UDM format
- Total Parsing Error Count - Total number of events that are failed to meet the parsing criteria in Chronicle
- Total Validation Error Count - Total number of events for which all mandatory UDM fields are not parsed. Refer to mandatory fields for each UDM event type
- Total Errors - Sum of Parsing errors and validation errors
In Log Source Health, the following insights are enabled:
- The total number of events generated for each log source
- The time at which the events are generated
- The product and vendor name that an event belongs to
In Usage Reports, the following insights are enabled:
- The number of users logged in Resolution Intelligence Cloud for the first time and last seen
- The time at which the logs are collected
- The total number of detection rules applied on each log source
Detection Coverage
To view the detection coverage dashboard,
- From the Home screen, navigate to Visibility --> Detection Coverage
The following Detection Coverage heatmap enables you to know
- The percentage of rules that can be detected against the MITRE tactics & techniques matrix based on the data that you ingest into your Chronicle account.
- The amount of quality data you have, helps to ingest sufficient data sources to enhance rule detection against the MITRE tactics & techniques matrix.
The color gradient bar at the top right corner of the above figure indicates the coverage percentage of rule detection from the MITRE matrix.
Example:
The dashboard shows a detection rule is mapped to the technique (active scanning) under the tactic (reconnaissance), and the ingested data from the log type matches the defined rule (only a single rule is defined), which means 100% of coverage is detected. The number of rules may differ from tactic to tactic, technique to technique, and sub-technique to sub-technique.
Click any tile shown in the detection coverage page to delve into more details (type and number of rules available for detection, ID, permissions required, available data sources, and type of platforms) of that specific sub-technique. To know what rules are used for detection, click the digit left next to Detection Rules Available, as shown in the following figure.
Filtering Detection Coverage dashboard
Resolution Intelligence has the capability to customize the detection coverage dashboard based on the log source type that you select while ingesting the data and the platform from which the data is ingested.
By Log Source
To view the dashboard by log source type,
- From the Detection Coverage screen, click at the right of your dashboard. A filter window appears
- Select the LogSource (s) from the dropdown. For example, select DNS, DHCP, and EDR
- Click Apply
By Platform
To view the dashboard by platform,
- From the Detection Coverage screen, click at the right of your dashboard. A filter window appears
- Select the platform(s) from the drop-down. For example, select Azure AD, Containers, and Google Workspace
- Click Apply
Note: You can filter the dashboard either by platform, or by log source or both at a time.
View by Threat Actors
The detection coverage dashboard can be customized according to the different threat actors by choosing one or more threat actors.
To view the dashboard by Threat Actors,
- From the Detection Coverage screen, click just above the dashboard
- Select One or More threat actors displayed in the window
- Click Apply
Comments
0 comments
Please sign in to leave a comment.