crowdstrike/fdr Dashboards
00 - FDR Package Announcement - Please Read
Widget | Description | Type |
---|---|---|
FDR Package Migration | # Important Changes **This package is being reduced to only include the parser. Please use the crowdstrike/fltr-core package instead.** Instructions for configuring the crowdstrike/fltr-core package can be found here: https://github.com/CrowdStrike/logscale-community-content/wiki/FLTR-Setup-and-Configuration # Migrating Content If you've made modifications to the crowdstrike/fdr package contents and wish to keep them, they can be exported by going to → → in this repo. | Note |
Detections by Instance
Widget | Description | Type |
---|---|---|
Detections by Tactic |
Displays a pie chart of event detections.
logscale
| Pie Chart |
Detection Rate |
Displays a chart of events and their detection rate over a one
hour timespan.
logscale
| Time Chart |
Map: Severity > Technique |
Displays a flow chart of a system's events, and their severity and
technique.
logscale
| Sankey |
Detections by Severity |
Displays a pie chart of detections by severity.
logscale
| Pie Chart |
Detections by Technique |
Displays a chart of API event detections by technique, organized
by computer name, agent ID, and customer ID.
logscale
| Bar Chart |
Detection by Attack |
Displays a table of detections by attack.
logscale
| Table |
Detection: Grandparent File -> Parent File |
Displays a flowchart of event detection parent and grandparent
files by file name.
logscale
| Sankey |
Detection: Parent File -> File |
Displays a flowchart of detections by parent file and file.
logscale
| Sankey |
Map: Technique -> Tactic |
Displays a flow diagram of technique and tactic data.
logscale
| Sankey |
Detection Table |
Displays a summary of detected events based on Agent and Customer
ID by username, file path, file name, severity, tactic, technique,
etc then arranges them in table format.
logscale
| Table |
Detections by Host |
Displays a table of external API event detections by host.
logscale
| Table |
Detections by User | logscale
| Table |
Detections by Type
Widget | Description | Type |
---|---|---|
Detections by Tactic |
Displays a pie chart of event detections.
logscale
| Pie Chart |
Detection Rate |
Displays a chart of events and their detection rate over a one
hour timespan.
logscale
| Time Chart |
Map: Severity > Technique |
Displays a flow chart of a system's events, and their severity and
technique.
logscale
| Sankey |
Detections by Severity |
Displays a pie chart of detections by severity.
logscale
| Pie Chart |
Detections by Technique |
Displays a chart of API event detections by technique, organized
by computer name, agent ID, and customer ID.
logscale
| Bar Chart |
Detection by Attack |
Displays a table of detections by attack.
logscale
| Table |
Detection: Grandparent File -> Parent File |
Displays a flowchart of event detection parent and grandparent
files by file name.
logscale
| Sankey |
Detection: Parent File -> File |
Displays a flowchart of detections by parent file and file.
logscale
| Sankey |
Map: Technique -> Tactic |
Displays a flow diagram of technique and tactic data.
logscale
| Sankey |
Detection Table |
Displays a summary of detected events based on Agent and Customer
ID by username, file path, file name, severity, tactic, technique,
etc then arranges them in table format.
logscale
| Table |
Detections by Host |
Displays a table of external API event detections by host.
logscale
| Table |
Detections by User | logscale
| Table |
Dev - Software Inventory
Widget | Description | Type |
---|---|---|
Product Versions |
Displays a pie chart of product versions.
logscale
| Pie Chart |
Product Names |
Displays a chart of an application's associated product and
company names.
logscale
| Bar Chart |
Software Inventory |
Displays a table of software inventory and associated data
(company name, product name, file version) in descending order.
logscale
| Table |
Software Companies |
Displays a list of software companies and application information.
logscale
| Bar Chart |
Software Inventory Note | # FDR Requirements This dashboard runs on the secondary FDR data. FDR secondary data is not enabled by default, you may need to submit a ticket to CrowdStrike Support to enable the secondary data feed. You can check to see if your data includes secondary data by searching this data for: @path = fdrv2* To narrow down the data set use the CompanyName and then the ProductName drop-down parameters above. | Note |
Domain Search
Widget | Description | Type |
---|---|---|
Domain Lookup Summary |
Displays a domain lookup summary with associated data sorted by
number of hosts, then limits the results to the first 200 entries.
logscale
| Table |
Process and Domain Details |
Displays a table of specific processes and their domain details
from a specific agent ID or ComputerName.
logscale
| Table |
Number of Hosts Hitting the Domain |
Displays a list of the number of distinct hosts hitting the
domain. Query results will only be provided if ?DomainName is
specified.
logscale
| Single Value |
Domain Lookups by Host |
Displays a list of distinct hosts and the number of lookup
requests they made.
logscale
| Bar Chart |
Domain Lookups by Host (Table) |
Displays a list of distinct hosts using ComputerName that resolve
a specific domain, and how many requests they made.
logscale
| Table |
Lookup Details |
Shows all lookups for a given domain name/pattern
logscale
| Table |
Workflow Note | # Process and Domain Details Provide Domain Name and ComputerName (or aid) to display the data. | Note |
Workflow Note | # Domain Lookup and Process Details Provide Domain Name to display the data. You can filter results by aid or Computer Name. | Note |
Workflow Note | # Domain Lookup Summary Displays top domains, enter Domain Name to narrow the search. | Note |
Workflow Note | # Domain Lookups by Host Displays top Hosts hitting the Domain(s). Enter Domain Name to narrow the search. | Note |
File Vantage
Widget | Description | Type |
---|---|---|
File Integrity Alerts by User |
Displays a chart of file integrity alerts by user.
logscale
| Bar Chart |
File Vantage Alerts | logscale
| Table |
File Vantage Alerts by Criticality |
Displays a list of File Vantage alerts by criticality (Low,
Medium, High, and Critical).
logscale
| Pie Chart |
File Integrity Alerts |
Displays a chart of file integrity alerts in a 1 hour timespan.
logscale
| Time Chart |
File Integrity Alerts by Operation |
Displays a list of file integrity alerts by operation, including
create, write, delete, set, and rename.
logscale
| Bar Chart |
File Vantage Alerts by Platform |
Displays a list of file vantage alerts by platform.
logscale
| Pie Chart |
File Vantage Alerts by File Name | logscale
| Pie Chart |
File Integrity Alerts by Object |
Displays a list of file integrity alerts by object, including,
'file', 'folder', 'value', and 'key'.
logscale
| Bar Chart |
Hash Search
Widget | Description | Type |
---|---|---|
File Execution Details (Specify FileName or SHA256) |
Displays a list of file execution details by file name or SHA256
and limits results to the first 20,000 entries.
logscale
| Table |
File Execution by Host | logscale
| Pie Chart |
File Written by Hosts |
Displays a pie chart of files written by hosts, limited to the
first 25 entries.
logscale
| Pie Chart |
File Written Details (Specify ComputerName) |
This widget only shows result if a ComputerName is specified)
logscale
| Table |
Written on Distinct Hosts |
Displays a list of files written on distinct hosts.
logscale
| Single Value |
Execution Activity |
Displays a chart of execution activity.
logscale
| Time Chart |
Execution History (Specify FileName or SHA256) |
Display a table of execution history including execution date/time
and file name, organizes it by host, and limits to the top 199
entries. Note that this query will only return results if at least
one of ?FileName or ?SHA256 is specified.
logscale
| Table |
Number of Hosts Executing a Suspicious Program |
Displays the number of hosts executing a specific program that
have been identified as suspicious.
logscale
| Single Value |
Unique Host Executions | logscale
| Time Chart |
Workflow Note | # Workflow Start by entering a file name or a SHA256 to see results for 'Execution History', File Execution Details', and 'File Written Details'. | Note |
Host Search
Widget | Description | Type |
---|---|---|
Services Started |
Displays a table of services started on Windows platform and
limits results to the first 200 entries.
logscale
| Table |
Network Connection Destinations |
Displays a world map of network connection destinations by IP
address.
logscale
| World Map |
Parent to Child Process |
Displays a flow chart of the parent file to child file process.
logscale
| Sankey |
Listening Ports |
Displays a table of ports that are listening and associated data,
then limits results to the first 200 entries.
logscale
| Table |
Top DNS Requests |
Displays a list of top DNS requests by domain name.
logscale
| Table |
Detections: Map Tactic Technique |
Displays a flow chart of detections by tactic and technique.
logscale
| Sankey |
User Logons |
Displays a table of user logons by type with additional data, then
limits results to the first 200 entries.
logscale
| Table |
Schedule Tasks |
Displays a table of scheduled tasks with associated data
(username, task name, command data, and arguments).
logscale
| Table |
Network Connections Count |
Displays a list of IP4 network connections.
logscale
| Table |
Detections |
Displays a list of API event detections.
logscale
| Table |
Packed Executable Written |
Displays a list of packed executables that have been written.
logscale
| Single Value |
Unique Executables Written |
Displays a list of unique executables written using SHA256 hash
data.
logscale
| Single Value |
Processes |
Displays a table of processes by file name and limits results to
the first 200 entries.
logscale
| Table |
Host Information |
Displays a table of host information, including computername,
agentversion, etc.)
logscale
| Table |
Workflow Note | #Workflow Add a non-wildcard value to the aid parameter for the widgets to display results. | Note |
IP Search
Widget | Description | Type |
---|---|---|
IP Summary |
Displays a table of summarized IP address data.
logscale
| Table |
IP Connections by Host |
Displays a table of IP connections for a given host.
logscale
| Table |
IP Connections by Host |
Displays a chart of IP connections for a given host.
logscale
| Bar Chart |
Process and IP |
Displays a table of target process IDs and IP addresses in
descending order and limits results to the first 100 entries.
logscale
| Table |
IP Lookup Details (Specify IP to show data) |
Displays a table of IP address details including computer ID, the
first and last lookup, etc. then limits the results to the first
199 entries.
logscale
| Table |
Monitor Deployment
Widget | Description | Type |
---|---|---|
Active Sensors |
Displays a list of active sensors on a world map.
logscale
| World Map |
Number of Hosts | logscale
| Time Chart |
Hosts by Platform |
Displays a pie chart of hosts by platform.
logscale
| Pie Chart |
Hosts by Platform | logscale
| Table |
Process Context Events
Widget | Description | Type |
---|---|---|
Process - Network Events |
Displays a table of network events TCP, ICMP, UDP, and IP data.
logscale
| Table |
Context Events by Type | logscale
| Pie Chart |
Files Written |
Displays a list of files that have been written.
logscale
| Table |
Original Processes |
Displays a record of an original process from the command line,
with an accompanying file name.
logscale
| Table |
Files Deleted |
Displays a list of files that have been deleted by process ID.
logscale
| Table |
Destination IPs |
Display a pie chart of destination IP addresses by type.
logscale
| Pie Chart |
DNS Requests |
Displays a table of DNS requests by domain name.
logscale
| Table |
All Context Events |
Displays a list of all context events by ID.
logscale
| Event List |
Image Hash Events |
Displays a table of image hash events.
logscale
| Table |
Workflow Note | # Workflow Start by entering a filename. The aid is optional, but will constrain (and speed up) the search if you have it. If you find an interesting process copy the ProcessId and paste it in the parameter above to show the context events below. | Note |
Threat Hunting
Widget | Description | Type |
---|---|---|
Check random ASEPs |
Displays a list of any found ASEPs.
logscale
| Table |
Top Country Destinations | logscale
| Table |
Suspicious Leads |
Displays a table of suspicious lead data.
logscale
| Table |
High Entropy Domains |
Displays a list of high entropy domains using Akamai and limits
the results to the first 20 entries.
logscale
| Table |
Open Ports | logscale
| Table |
Top IP Destinations |
Displays a table of top IP destinations.
logscale
| Table |
Potential Script Obfuscation |
Script content rated by Shanon entropy to look for randomness as a
proxy for obfuscation attempts.
logscale
| Table |
Unoriginal Filename | logscale
| Event List |
Required | Please specify the aid parameter in order to see results for the 'Open Ports' widget. | Note |