Example log source type coverage summary table

The Log source type coverage summary table shows some coverage results since November 16, 2020. Learn how to use these examples to interpret your own results.

Figure 1. Sample log source type coverage table
Image showing a sample log source type coverage table

The report was run on 30 November 2020 to track coverage that began on 16 November 2020.

  1. The first 4 log source types did not contribute events to any offense since 16 November 2020. Events coming from these log source types didn't affect any offense in two weeks. The CrowdStrikeEndpoint and Akamai KONA log source types received events, and although Akamai KONA had almost 154,000,000 events, none of them contributed to any offense. Follow these steps to resolve these types of cases:
    • Investigate the rules that are related to these log source types for any tuning actions. Run one of the log source coverage templates and add the filter for any needed log source types.
    • Check whether more rules are available to install from the IBM® Security App Exchange that can provide better coverage for these log source types. Select Rule-log source type coverage > Current and potential coverage, find the log source type in the chart, and click the bar next to it in the Rules available to install column. Then, apply the filters and check the resulting report.
  2. The CrowdStrike Falcon Host and Palo Alto PA Series log source types show that several offenses were updated, but neither received any events. Because these log source types don't have any events, this means that these log source types are related to some offenses that were updated by events from other log source types.
  3. The Proofpoint TAP log source type had many events that contributed to two offenses. This is a common example.