Visualizing log source type coverage per rule

Explore current and potential log source type coverage per rule, and see how your rule coverage can expand if new log source types are added to your environment. See the number of rules that provide current coverage for each log source type, based on the rule test definitions.

Procedure

  1. To see the number of rules that provide current coverage for each log source type based on the rule test definitions, click Rule-log source type coverage > Summary and offense update trends.
  2. In the Log source type coverage summary table, check when the log source type last contributed to an offense based on the last updated date. Then, review the number of events for log sources of that type. If the last updated date of an offense is old, try tuning some of the rules for the related log source type. For example, you have 81 rules for a log source type that stopped contributing to an offense for three weeks and has no events that are associated with it. The 81 rules require investigation to see whether there's something wrong with them. You can also filter the list in the table to fine-tune the log source types you want to investigate.
    Chart that shows current log source type coverage per rule

    The bar chart is a visualization of the table chart.

    1. Expand the bar chart to full screen.
    2. Export the bar chart to CSV, PNG, or JPG formats.
    3. View the bar chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
    4. Change the date for the Log source type coverage summary chart coverage by clicking the calendar icon for Display events and offense updated date since: <date>. QRadar® Use Case Manager initially fetches 90 days of data from QRadar, and keeps collecting data daily for 1 year. Data older than 1 year is then deleted from the database. The default date is one day before the current day's date.
  3. In the Log source type trend chart, review the number of offenses that are updated on a specific day and related to a specific log source type. Updated offenses are counted against each related log source type, regardless of the log source type that caused the update. Fine-tune the chart by specific log source type by clicking the checkboxes beneath the chart.
    Log source trend
    1. Expand the chart to full screen.
    2. Export the chart to CSV, PNG, or JPG formats.
    3. View the chart data in tabular format. Then, export the data in CSV format to view offline or share with colleagues.
    4. Change the date for the Log source type trend chart coverage by clicking the calendar icons for Date range. Trend data is only available from the date of app installation.
    5. View the data trends as a daily or weekly summary by selecting the frequency from the list.
      Tip: You can only view weekly trends when the selected date range is greater than 14 days.
  4. To see current and potential log source type coverage, click Rule-log source type coverage > Current and potential coverage.
    Charts that show current and potential log source type coverage per rule
    Important: QRadar Use Case Manager excludes log source types that QRadar considers 'internal' from these charts; for example, Health Metrics, SIM Audits, Custom Rule Engine, System Notifications, and Asset Profiler.
  5. Explore current and potential coverage in the Rules per used log source types chart. The Rules available to install and the Rules with MITRE available to install columns indicate the number of rules from content extensions that are available on the IBM® Security App Exchange. To generate a report of content extensions for a selected log source type, select the corresponding bar and click Apply Filters in the filter pane. Then, click the content extension name link in the table report to view or install the content extension.
  6. Explore how coverage can expand if new log source types are added in the Rules per unused log source types chart. Rules that are represented in the bars are either already installed or available to install from content extensions on the IBM Security App Exchange. To generate a report of the rules and their origin for a selected log source type, select the corresponding bar and then click Apply Filters in the filter pane. Then, click the content extension name link in the table report to view or install the content extension.