After the Data Audit is completed, you can review the results to verify automatically identified tables and log sources and check your blind spots. Follow this guide to learn how to set up and start running a Data Audit.
You can review the audit results right away once they are ready or later by navigating to the Audits page and choosing the relevant Data Audit record. Follow this guide to learn more about tracking and managing Data Audits on the Audits page.
You can use the Demo Investigation that shows the Data Audit results for a Demo Data Plane.
If you'd like to see the results of older audits or results for individual Data Planes, select an audit and then a Tenant and a Data Plane from the dropdowns in the upper left corner.
The spider chart on the Data Audit results page displays your current Data Audit outcomes and how you can improve visibility by addressing identified blind spots based on the following color codes:
The orange surface (Attack Visibility) – shows the percentage of techniques in each tactic that can be detected with the existing log sources.
The green surface (With Blind Spots) – shows potential attack visibility after implementing recommendations for resolving blind spots.
On the right, you can delve into more details of the analysis by switching between two modes – Visibility and Blind Spots.
Visibility
This tab shows data tables automatically identified in your Data Planes.
Use the Search bar at the top of the Visibility tab to search for tables.
You can sort the data in the table using the dropdown by selecting one of the following options:
Query Count – sorts the data by the number of queries identified in your Data Planes.
Index Name – sorts the data alphabetically by index name.
Additionally, you can switch between descending and ascending order by clicking the green arrow by the selected sorting option name.
You can fine-tune and customize the tables and log sources:
Clear the checkbox next to a data table to exclude it from scanning.
Remove an automatically identified log source by clicking the x icon next to it.
Add more log sources manually. To do this:
Hover over the relevant data table and click the Plus icon that appears.
Start entering your log source name and select it from suggestions.
After making customizations to the log sources, refresh the Data Audit results by clicking the Refresh Visibility button.
Note: For Microsoft Defender for Endpoint Data Planes, the user can select/deselect data tables for scanning, but cannot modify log sources. The scan can only be run with the automatically identified parameters.
Blind Spots
Check what log sources you are missing by viewing blind spots across five view modes. Select a view from the dropdown:
Index/Table – the list of indexes or tables identified in your Data Plane.
Data Components – the list of data sources with descriptions.
Log Sources – the list of log sources identified in your Data Plane.
Tools – the list of potential MITRE ATT&CK tools.
Tactics – the list of potential MITRE ATT&CK techniques.
Expand each item from the list to view detailed information.
You can additionally filter the results by MITRE ATT&CK Actors by selecting the checkboxes in the Actors dropdown.
Note: The Blind Spots tab is not available for Microsoft Defender for Endpoint Data Planes.
Once you have reviewed the Data Audit results, you can proceed to scanning with current log sources by clicking the Setup Alerts button or add what's missing in your Data Planes and then start a new Data Audit.
Export Data Audit Results
You can export the results of your Data Audit by clicking the file icon in the right-hand corner of the Data Audit results page. Select the file format:
DeTT&CT .YAML – the results will be ready for export in the
YAMLformat comparing data log source quality, visibility coverage, detection coverage, and threat actor behaviors. Learn more..CSV – the results will be ready for export in the
.CSVformat.PDF – the results will be ready for export in the
PDFformat.
Alternatively, you can generate a report on the Audits page by clicking the three-dot menu on the Data Audit record and selecting Generate Report.
After selecting the export format, your Data Audits results will be saved in the Reports section, where you can download them by clicking the Download icon in the corresponding row (the newest reports are at the top of the list).
Alternatively, you can export the Data Audit Results to ATT&CK Navigator. Click the Open in ATT&CK Navigator button in the right-hand corner of the Data Audit results page, and you will be automatically redirected to the ATT&CK Navigator tool, which visualizes your coverage of adversary techniques across the matrix.