On Scheduling Inspector’s main dashboard, users will quickly be able to identify any Scheduled Searches that are potentially missing data.
These searches with Coverage Gaps are not reviewing enough of the data in their time span when compared to their schedule. For instance, a search that is scheduled to run every 15 minutes but only looks at the past 5 minutes of data will ‘lose’ out on 10 minutes of data every time it runs. This is bad if the search is looking for critical errors or other notable events, as it will miss them entirely if it falls within this gap.
After identifying a search with a possible Coverage Gap, users can investigate further by selecting the Magnifying Glass to open the search on a new tab. This is useful for investigating if there were other reasons why this search didn’t meet best practices. Once confirmed as a viable target for fixing, users can select the Wrench icon for a modal that will enable them to automatically tune their search to meet best practices.
After selecting the Wrench icon for for automatic fixing, this modal will appear.
Clicking ‘Apply’ will apply the change in the Scheduled Search time range that will rectify the issue. This change is logged in the local directory of the appropriate application.
It is recommended to not use this tool to change Enterprise Security searches or searches that result in an “outputlookup” command. It is beneficial to confirm the reasons for the search’s output and existence before updating the timespan.