Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Visualizing Log Source Type Coverage per Rule

Explore current and potential log source type coverage per rule, and see how your rule coverage can expand if new log source types are added to your environment. See the number of rules that provide current coverage for each log source type, based on the rule test definitions.

You can use predefined templates to see recommended content extensions to install or currently installed extensions, or manually filter your report results by content extension attributes. Predefined templates are available through the template icon on the menu bar of the rule report. Select the template you'd like to use from the categories in the template list.

  1. To see current and potential log source type coverage, click Rule-log source type coverage > Current and potential.
    Note:

    QRadar Use Case Manager excludes log source types that QRadar considers 'internal' from these charts; for example, Health Metrics, SIM Audits, Custom Rule Engine, System Notifications, and Asset Profiler.

  2. Explore current and potential coverage in the Rules per used log source types chart. The Rules available to install and the Rules with MITRE available to install columns indicate the number of rules from content extensions that are available on the IBM Security App Exchange. To generate a report of content extensions for a selected log source type, select the corresponding bar and click Apply Filters in the filter pane. Then, click the content extension name link in the table report to view or install the content extension.
  3. Explore how coverage can expand if new log source types are added in the Rules per unused log source types chart. Rules that are represented in the bars are either already installed or available to install from content extensions on the IBM Security App Exchange. To generate a report of the rules and their origin for a selected log source type, select the corresponding bar and then click Apply Filters in the filter pane. Then, click the content extension name link in the table report to view or install the content extension.

Related Documentation