crowdstrike/fdr Dashboards

00 - FDR Package Announcement - Please Read
WidgetDescriptionType
FDR Package Migration # Important Changes **This package is being reduced to only include the parser. Please use the crowdstrike/fltr-core package instead.** Instructions for configuring the crowdstrike/fltr-core package can be found here: https://github.com/CrowdStrike/logscale-community-content/wiki/FLTR-Setup-and-Configuration # Migrating Content If you've made modifications to the crowdstrike/fdr package contents and wish to keep them, they can be exported by going to SettingsCreate a PackageExport Package in this repo. Note
Detections by Instance
WidgetDescriptionType
Detections by Tactic Displays a pie chart of event detections.

Hide Query

Show Query

Pie Chart
Detection Rate Displays a chart of events and their detection rate over a one hour timespan.

Hide Query

Show Query

Time Chart
Map: Severity > Technique Displays a flow chart of a system's events, and their severity and technique.

Hide Query

Show Query

Sankey
Detections by Severity Displays a pie chart of detections by severity.

Hide Query

Show Query

Pie Chart
Detections by Technique Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID.

Hide Query

Show Query

Bar Chart
Detection by Attack Displays a table of detections by attack.

Hide Query

Show Query

Table
Detection: Grandparent File -> Parent File Displays a flowchart of event detection parent and grandparent files by file name.

Hide Query

Show Query

Sankey
Detection: Parent File -> File Displays a flowchart of detections by parent file and file.

Hide Query

Show Query

Sankey
Map: Technique -> Tactic Displays a flow diagram of technique and tactic data.

Hide Query

Show Query

Sankey
Detection Table Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format.

Hide Query

Show Query

Table
Detections by Host Displays a table of external API event detections by host.

Hide Query

Show Query

Table
Detections by User

Hide Query

Show Query

Table
Detections by Type
WidgetDescriptionType
Detections by Tactic Displays a pie chart of event detections.

Hide Query

Show Query

Pie Chart
Detection Rate Displays a chart of events and their detection rate over a one hour timespan.

Hide Query

Show Query

Time Chart
Map: Severity > Technique Displays a flow chart of a system's events, and their severity and technique.

Hide Query

Show Query

Sankey
Detections by Severity Displays a pie chart of detections by severity.

Hide Query

Show Query

Pie Chart
Detections by Technique Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID.

Hide Query

Show Query

Bar Chart
Detection by Attack Displays a table of detections by attack.

Hide Query

Show Query

Table
Detection: Grandparent File -> Parent File Displays a flowchart of event detection parent and grandparent files by file name.

Hide Query

Show Query

Sankey
Detection: Parent File -> File Displays a flowchart of detections by parent file and file.

Hide Query

Show Query

Sankey
Map: Technique -> Tactic Displays a flow diagram of technique and tactic data.

Hide Query

Show Query

Sankey
Detection Table Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format.

Hide Query

Show Query

Table
Detections by Host Displays a table of external API event detections by host.

Hide Query

Show Query

Table
Detections by User

Hide Query

Show Query

Table
Dev - Software Inventory
WidgetDescriptionType
Product Versions Displays a pie chart of product versions.

Hide Query

Show Query

Pie Chart
Product Names Displays a chart of an application's associated product and company names.

Hide Query

Show Query

Bar Chart
Software Inventory Displays a table of software inventory and associated data (company name, product name, file version) in descending order.

Hide Query

Show Query

Table
Software Companies Displays a list of software companies and application information.

Hide Query

Show Query

Bar Chart
Software Inventory Note # FDR Requirements This dashboard runs on the secondary FDR data. FDR secondary data is not enabled by default, you may need to submit a ticket to CrowdStrike Support to enable the secondary data feed. You can check to see if your data includes secondary data by searching this data for: @path = fdrv2* To narrow down the data set use the CompanyName and then the ProductName drop-down parameters above. Note
Domain Search
WidgetDescriptionType
Domain Lookup Summary Displays a domain lookup summary with associated data sorted by number of hosts, then limits the results to the first 200 entries.

Hide Query

Show Query

Table
Process and Domain Details Displays a table of specific processes and their domain details from a specific agent ID or ComputerName.

Hide Query

Show Query

Table
Number of Hosts Hitting the Domain Displays a list of the number of distinct hosts hitting the domain. Query results will only be provided if ?DomainName is specified.

Hide Query

Show Query

Single Value
Domain Lookups by Host Displays a list of distinct hosts and the number of lookup requests they made.

Hide Query

Show Query

Bar Chart
Domain Lookups by Host (Table) Displays a list of distinct hosts using ComputerName that resolve a specific domain, and how many requests they made.

Hide Query

Show Query

Table
Lookup Details Shows all lookups for a given domain name/pattern

Hide Query

Show Query

Table
Workflow Note # Process and Domain Details Provide Domain Name and ComputerName (or aid) to display the data. Note
Workflow Note # Domain Lookup and Process Details Provide Domain Name to display the data. You can filter results by aid or Computer Name. Note
Workflow Note # Domain Lookup Summary Displays top domains, enter Domain Name to narrow the search. Note
Workflow Note # Domain Lookups by Host Displays top Hosts hitting the Domain(s). Enter Domain Name to narrow the search. Note
File Vantage
WidgetDescriptionType
File Integrity Alerts by User Displays a chart of file integrity alerts by user.

Hide Query

Show Query

Bar Chart
File Vantage Alerts

Hide Query

Show Query

Table
File Vantage Alerts by Criticality Displays a list of File Vantage alerts by criticality (Low, Medium, High, and Critical).

Hide Query

Show Query

Pie Chart
File Integrity Alerts Displays a chart of file integrity alerts in a 1 hour timespan.

Hide Query

Show Query

Time Chart
File Integrity Alerts by Operation Displays a list of file integrity alerts by operation, including create, write, delete, set, and rename.

Hide Query

Show Query

Bar Chart
File Vantage Alerts by Platform Displays a list of file vantage alerts by platform.

Hide Query

Show Query

Pie Chart
File Vantage Alerts by File Name

Hide Query

Show Query

Pie Chart
File Integrity Alerts by Object Displays a list of file integrity alerts by object, including, 'file', 'folder', 'value', and 'key'.

Hide Query

Show Query

Bar Chart
Hash Search
WidgetDescriptionType
File Execution Details (Specify FileName or SHA256) Displays a list of file execution details by file name or SHA256 and limits results to the first 20,000 entries.

Hide Query

Show Query

Table
File Execution by Host

Hide Query

Show Query

Pie Chart
File Written by Hosts Displays a pie chart of files written by hosts, limited to the first 25 entries.

Hide Query

Show Query

Pie Chart
File Written Details (Specify ComputerName) This widget only shows result if a ComputerName is specified)

Hide Query

Show Query

Table
Written on Distinct Hosts Displays a list of files written on distinct hosts.

Hide Query

Show Query

Single Value
Execution Activity Displays a chart of execution activity.

Hide Query

Show Query

Time Chart
Execution History (Specify FileName or SHA256) Display a table of execution history including execution date/time and file name, organizes it by host, and limits to the top 199 entries. Note that this query will only return results if at least one of ?FileName or ?SHA256 is specified.

Hide Query

Show Query

Table
Number of Hosts Executing a Suspicious Program Displays the number of hosts executing a specific program that have been identified as suspicious.

Hide Query

Show Query

Single Value
Unique Host Executions

Hide Query

Show Query

Time Chart
Workflow Note # Workflow Start by entering a file name or a SHA256 to see results for 'Execution History', File Execution Details', and 'File Written Details'. Note
Host Search
WidgetDescriptionType
Services Started Displays a table of services started on Windows platform and limits results to the first 200 entries.

Hide Query

Show Query

Table
Network Connection Destinations Displays a world map of network connection destinations by IP address.

Hide Query

Show Query

World Map
Parent to Child Process Displays a flow chart of the parent file to child file process.

Hide Query

Show Query

Sankey
Listening Ports Displays a table of ports that are listening and associated data, then limits results to the first 200 entries.

Hide Query

Show Query

Table
Top DNS Requests Displays a list of top DNS requests by domain name.

Hide Query

Show Query

Table
Detections: Map Tactic Technique Displays a flow chart of detections by tactic and technique.

Hide Query

Show Query

Sankey
User Logons Displays a table of user logons by type with additional data, then limits results to the first 200 entries.

Hide Query

Show Query

Table
Schedule Tasks Displays a table of scheduled tasks with associated data (username, task name, command data, and arguments).

Hide Query

Show Query

Table
Network Connections Count Displays a list of IP4 network connections.

Hide Query

Show Query

Table
Detections Displays a list of API event detections.

Hide Query

Show Query

Table
Packed Executable Written Displays a list of packed executables that have been written.

Hide Query

Show Query

Single Value
Unique Executables Written Displays a list of unique executables written using SHA256 hash data.

Hide Query

Show Query

Single Value
Processes Displays a table of processes by file name and limits results to the first 200 entries.

Hide Query

Show Query

Table
Host Information Displays a table of host information, including computername, agentversion, etc.)

Hide Query

Show Query

Table
Workflow Note #Workflow Add a non-wildcard value to the aid parameter for the widgets to display results. Note
IP Search
WidgetDescriptionType
IP Summary Displays a table of summarized IP address data.

Hide Query

Show Query

Table
IP Connections by Host Displays a table of IP connections for a given host.

Hide Query

Show Query

Table
IP Connections by Host Displays a chart of IP connections for a given host.

Hide Query

Show Query

Bar Chart
Process and IP Displays a table of target process IDs and IP addresses in descending order and limits results to the first 100 entries.

Hide Query

Show Query

Table
IP Lookup Details (Specify IP to show data) Displays a table of IP address details including computer ID, the first and last lookup, etc. then limits the results to the first 199 entries.

Hide Query

Show Query

Table
Monitor Deployment
WidgetDescriptionType
Active Sensors Displays a list of active sensors on a world map.

Hide Query

Show Query

World Map
Number of Hosts

Hide Query

Show Query

Time Chart
Hosts by Platform Displays a pie chart of hosts by platform.

Hide Query

Show Query

Pie Chart
Hosts by Platform

Hide Query

Show Query

Table
Process Context Events
WidgetDescriptionType
Process - Network Events Displays a table of network events TCP, ICMP, UDP, and IP data.

Hide Query

Show Query

Table
Context Events by Type

Hide Query

Show Query

Pie Chart
Files Written Displays a list of files that have been written.

Hide Query

Show Query

Table
Original Processes Displays a record of an original process from the command line, with an accompanying file name.

Hide Query

Show Query

Table
Files Deleted Displays a list of files that have been deleted by process ID.

Hide Query

Show Query

Table
Destination IPs Display a pie chart of destination IP addresses by type.

Hide Query

Show Query

Pie Chart
DNS Requests Displays a table of DNS requests by domain name.

Hide Query

Show Query

Table
All Context Events Displays a list of all context events by ID.

Hide Query

Show Query

Event List
Image Hash Events Displays a table of image hash events.

Hide Query

Show Query

Table
Workflow Note # Workflow Start by entering a filename. The aid is optional, but will constrain (and speed up) the search if you have it. If you find an interesting process copy the ProcessId and paste it in the parameter above to show the context events below. Note
Threat Hunting
WidgetDescriptionType
Check random ASEPs Displays a list of any found ASEPs.

Hide Query

Show Query

Table
Top Country Destinations

Hide Query

Show Query

Table
Suspicious Leads Displays a table of suspicious lead data.

Hide Query

Show Query

Table
High Entropy Domains Displays a list of high entropy domains using Akamai and limits the results to the first 20 entries.

Hide Query

Show Query

Table
Open Ports

Hide Query

Show Query

Table
Top IP Destinations Displays a table of top IP destinations.

Hide Query

Show Query

Table
Potential Script Obfuscation Script content rated by Shanon entropy to look for randomness as a proxy for obfuscation attempts.

Hide Query

Show Query

Table
Unoriginal Filename

Hide Query

Show Query

Event List
Required Please specify the aid parameter in order to see results for the 'Open Ports' widget. Note