Ingestion Analytics
With Resolution Intelligence's ingestion health dashboard, you can monitor the data ingested from sources - Microsoft Azure, Amazon Cloud trail, and Google Chronicle and quickly understand the type and amount of data we have.
The following steps help you how to visualize Ingestion health of Chronicle data in Resolution Intelligence.
- From the Home screen, navigate to Visibility --> Ingestion Health
- In Ingestion health, the following tabs are available.
- Log Type Health - Health of data that is ingested from the log type
- Log Source Health - Health of data that is ingested from the log source which is derived from log type
- Usage Reports - Number of users monitored per each day
Understanding the amount of ingested
Resolution Intelligence dashboards enable you know the amount of data ingested into Chronicle.
In Log Type Health, the following insights are enabled:
- The number of events distributed per log type
- The percentage of throughput distribution per log type
- The amount of space occupied per each log type at definite intervals of time
- The status of events generated on each day
The metrics displayed in the following chart gives you details on
- Total Entry Count - Total number of raw events ingested from source into Chronicle
- Total Normalized Events - Total number of raw events normalized into UDM format
- Total Parsing Error Count - Total number events that are failed to meet the parsing criteria in Chronicle
- Total Validation Error Count - Total number of events for which all mandatory UDM fields are not parsed. Refer mandatory fields for each UDM event type
- Total Errors - Sum of Parsing errors and validation errors
In Log Source Health, the following insights are enabled :
- The total number of events generated for each log source
- The time at which the events are generated
- The product and vendor name that an event belongs to
In Usage Reports, the following insights are enabled:
- The number of users logged in Resolution Intelligence Cloud for the first time and last seen
- The time at which the logs are collected
- The total number of detection rules applied on each log source
Detection Coverage
To view detection coverage dashboard,
- From the Home screen, navigate to Visibility --> Detection Coverage
The following Detection Coverage heatmap enables you to know
- The percentage of rules can be detected against MITRE tactics & techniques matrix based on the data that you ingest into your Chronicle account.
- The amount of quality data that you have currently which in turn helps you to ingest sufficient data sources to enhance the rule detection against MITRE tactics & techniques matrix
Gray : 1-25%
Light Pink: 26-50%
Light Violet: 51-75%
Mild Violet: 76-99%
Dark Violet: 100%
For example,
The dashboard shows a detection rule is mapped to the technique (Active Scanning) under the tactic (Reconnaissance) and the ingested data from log type matches the defined rule that means the 100% of coverage detected.

Filtering Detection Coverage dashboard
Resolution Intelligence has the capability to customize the detection coverage dashboard based on the log source type that you select while ingesting the data and the platform from which the data is ingested.
By Log Source
To view the dashboard by log source type,
- From the Detection Coverage screen, click
at the right of your dashboard. A filter window appears
- Select the LogSource (s) from the dropdown. For example, select DNS, DHCP, and EDR
- Click Apply
By Platform
To view the dashboard by platform,
- From the Detection Coverage screen, click
at the right of your dashboard. A filter window appears
- Select the Platform (s) from the dropdown. For example, select Azure AD, Containers, and Google Workspace
- Click Apply
Note: You can filter the dashboard either by platform or by log source or both at a time.
View by Threat Actors
Detection Coverage dashboard can be customized according to the different threat actors by choosing one or more threat actors.
To view the dashboard by Threat Actors,
- From the Detection Coverage screen, click
just above the dashboard
- Select One or More threat actors displayed in the window
- Click Apply
Comments
0 comments
Please sign in to leave a comment.