Log Source Coverage shows what percentage of detection content available in Threat Detection Marketplace you have explored, downloaded via API, and deployed, based on your log sources. This way you can control how effectively your log source data is utilized in your security technology.
Important! For comprehensive visualization within your organization’s Dashboard, Log Source Coverage, and MITRE ATT&CK Coverage, while downloading and installing content manually in Threat Detection Marketplace which is part of the SOC Prime Platform, please mind marking the content as deployed. To enable automation for adopting content, integrations, and analytics, we highly recommend you to set up: |
Products — list of the products to which your log sources belong. You can see:
Services — the number of services within the Product. Click the Product name to explore the Log Source Coverage per Product.
Rules — the number of rules available in our Platform for this Product.
Coverage — the percentage of rules deployed.
Search Profile — when a search profile is applied, the statistics are shown according to the Platform and Log Source Product in your Search Profile. This ensures that the statistics are relevant to your organization. If the profile has been marked as Default on Coverages on the Search Profiles page, when opening the Log Source Coverage page, this profile will be automatically applied with its configured parameters. You can update this setting on the Search Profile page.
Note: When drilling down from the Log Source Coverage page to Advanced Search, the selected Search Profile is not applied directly as a Search Profile filter. Instead, it is converted into separate filters that can be removed independently in Advanced Search.
Search bar — search for a certain Log Source Product to explore the details of log source coverage.
Overview Mode
Content per Product view displays the detection content addressing Log Source Products in your Data Plane.
All Content displays stats on all Platform content related to the organization’s Log Source Products.
Legend:
Explored — content tracked by the Platform as explored by your organization. Normally, the number of Explored content is bigger than the Deployed as you deploy only what is relevant.
Deployed — content marked as deployed manually, or automatically marked as deployed via the Automation module.
Downloaded via API — content downloaded via API
Unexplored — content available in the Platform for Log Source Products as per your settings which is still unexplored by your organization.
To export your log source coverage statistics in CSV, click the Export button.
To use the export feature, a Search Profile should be applied.
Log Source Coverage per Product
Explore the particular Log Source coverage all the way to Event ID.
Explored — content related to the selected Service that is tracked by the Platform as explored by your organization. Normally, the number of Explored content is bigger than the Deployed as you deploy only what is relevant.
Deployed — content related to the selected Service that is marked as deployed manually, or automatically marked as deployed via the Automation module.
Downloaded via API — content downloaded via API
Unexplored — content related to the selected Service that is available in the Platform but is still unexplored by your organization.
Click on the number of explored, downloaded via API, deployed, or unexplored content items to go to Search and see all detections of the corresponding type.
With the Trend pane, you can view your organization's progress over time.
To get back to the Overview screen, click the Log Source Coverage title in the upper left corner.