crowdstrike/fltr-core Dashboards

Audit - Falcon UI Logs

Widget	Description	Type
Top UserId -> OperationName	Displays a list of user IDs and an audit of their activity by operation name. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| groupBy(UserId, function=(top(OperationName, limit=20)), limit=10) \| sankey(source="UserId", target="OperationName", weight=count(OperationName, distinct=true))	`Sankey`
Top Users and Operations	Displays a heat map of top users and their operations and timestamp using IP locations data. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="Yes") \| UserId=/@/ ; test(?IncludeInternalUsers=="No") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| groupBy([UserId, OperationName], function=count(OperationName), limit=max) \| _count > 2	`Heat Map`
Top Operations	Displays a pie chart of the top 5 operations and their IP location. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| top(OperationName, limit=5)	`Pie Chart`
Top OperationName -> ServiceName	Displays a flowchart of the top operation names to their respective service name. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| groupBy(OperationName, function=(top(ServiceName, limit=20)), limit=10) \| sankey(source="OperationName", target="ServiceName", weight=count(ServiceName, distinct=true))	`Sankey`
Top Services	Displays a pie chart of the top 5 event services and associated data. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| top(ServiceName, limit=5)	`Pie Chart`
Top Users by Activity	Displays a pie chart of the top 5 users by activity. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| top(UserId, limit=5)	`Pie Chart`
Audit Details	Displays a table of audit events and their details. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } // Grab additional values. \| join( { #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent UserActivityAuditEvent \| OperationName=detection_update }, field=DetectId, key=Attributes.detection_id, mode=left, include=["Attributes.new_state", "Attributes.assigned_to_uid"], limit=100000 ) // Rename fields. \| AssignedTo:=rename(Attributes.assigned_to_uid) \| NewState:=rename(Attributes.new_state) // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country, AssignedTo, NewState], value="N/A", replaceEmpty=true) // Display the output. \| table([TimeUTC, UserId, ServiceName, OperationName, UserIp, UserIp.city, UserIp.country, DetectId, AssignedTo, NewState], limit=1000)	`Table`
User Activity	Displays a chart of user activity and associated data by user ID then limits results to the first 10 entries. Hide Query Show Query logscale // Search for audit events. #event_simpleName!=* OR #streamingApiEvent=Event_UserActivityAuditEvent \| ExternalApiType=Event_UserActivityAuditEvent \| wildcard(field=CustomerIdString, pattern=?CustomerIdString, ignoreCase=true) \| wildcard(field=ServiceName, pattern=?ServiceName, ignoreCase=true) \| wildcard(field=OperationName, pattern=?OperationName, ignoreCase=true) \| case { test(?IncludeInternalUsers=="No") \| UserId=/@/ ; test(?IncludeInternalUsers=="Yes") \| wildcard(field=UserId, pattern=?UserId, ignoreCase=true) ; } \| UserId:=lower(?UserId) // Do an IP location on the field, otherwise set default values. \| ipLocation(UserIp) \| default(field=[UserIp, UserIp.city, UserIp.country], value="N/A") // Convert and format the timestamp. \| UTCTimestamp:=UTCTimestamp*1000 \| TimeUTC:=formatTime("%Y-%m-%d %H:%M:%S.%L", field=UTCTimestamp, locale=en_US, timezone=Z) // Display the output. \| timeChart(UserId, function=count(), limit=10)	`Time Chart`

Detections - By AgentId

Widget	Description	Type
Detections by Tactic	Displays a pie chart of event detections. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Displays a chart of events and their detection rate over a one hour timespan. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Displays a flow chart of a system's events, and their severity and technique. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Displays a pie chart of detections by severity. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Displays a table of detections by attack. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Displays a flowchart of event detection parent and grandparent files by file name. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Displays a flowchart of detections by parent file and file. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Displays a flow diagram of technique and tactic data. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Displays a table of external API event detections by host. Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Displays a table of event detections by user. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Detections - By Alert Type

Widget	Description	Type
Detections by Tactic	Displays a pie chart of event detections. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Tactic, as="#events")`	`Pie Chart`
Detection Rate	Displays a chart of events and their detection rate over a one hour timespan. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| timechart(span=1h, function=count()) \| rename(_count, as="#events")`	`Time Chart`
Map: Severity -> Technique	Displays a flow chart of a system's events, and their severity and technique. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Technique, source=SeverityName)`	`Sankey`
Detections by Severity	Displays a pie chart of detections by severity. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(SeverityName)`	`Pie Chart`
Detections by Technique	Displays a chart of API event detections by technique, organized by computer name, agent ID, and customer ID. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(Technique, as="#events")`	`Bar Chart`
Detection by Attack	Displays a table of detections by attack. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(DetectDescription, as="#events")`	`Table`
Detection: Grandparent File -> Parent File	Displays a flowchart of event detection parent and grandparent files by file name. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=ParentImageFileName, source=GrandparentImageFileName)`	`Sankey`
Detection: Parent File -> File	Displays a flowchart of detections by parent file and file. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=FileName, source=ParentImageFileName)`	`Sankey`
Map: Technique -> Tactic	Displays a flow diagram of technique and tactic data. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
Detection Table	Displays a summary of detected events based on Agent and Customer ID by username, file path, file name, severity, tactic, technique, etc then arranges them in table format. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| table([ComputerName, UserName, DetectName, FilePath, FileName, SeverityName, Tactic, Technique, DetectDescription])`	`Table`
Detections by Host	Displays a table of external API event detections by host. Hide Query Show Query logscale `not "#event_simpleName" = * \| EventType = "Event_ExternalApiEvent" \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(ComputerName, as="#events")`	`Table`
Detections by User	Displays a table of event detections by user. Hide Query Show Query logscale `not "#event_simpleName" = * \| ExternalApiType = "Event_DetectionSummaryEvent" \| ComputerName = ?ComputerName AND AgentIdString = ?aid AND CustomerIdString = ?cid \| top(UserName, as="#events")`	`Table`

Detections - Event Summary

Widget	Description	Type
Total Endpoints	Unique Falcon Agent ID values with endpoint detections. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| count(AgentIdString, distinct=true, as="Total Endpoints")`	`Single Value`
Falcon Actions	Number of preventions versus detections issued by Falcon. This directly correlates with the configured prevention policy for the target endpoint. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| PatternDispositionDescription=/(?<preventStatus>^(Prevention\|Detection))(\,\|\/).*/i \| groupBy("preventStatus", limit=100)`	`Bar Chart`
Top Subnets with Endpoint Detections	Displays a table of top subnets and their associated endpoint detections then limits results to the first 100 entries. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| LocalIP=/(?<endpointSubnet>\d{1,3}\.\d{1,3}\.\d{1,3})\.\d{1,3}/i \| endpointSubnet!="" \| top(endpointSubnet, limit=100) \| count:=rename(_count)	`Table`
Top Users with Endpoint Detections	Displays a table of top users with endpoint detections by username and severity in descending order, then limits the results to the first 100 entries. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| UserName!="N/A" \| groupBy(UserName, function=[count(DetectId, distinct=true, as=count), sum(Severity, as=SeveritySum)], limit=max) \| sort(SeveritySum, order=desc, limit=100)	`Table`
Detections by Severity	Detection count by maximum severity. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| wildcard(field=SeverityName, pattern=?SeverityName, ignoreCase=true) \| groupby(SeverityName, limit=max)`	`Pie Chart`
Top Endpoint Detections by Severity Weight	Displays a table of API endpoint security detections by severity weight and limits results to the first 100 entries. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| DetectId=/\S+\:(?<aid>\S+)\:(?<detectID>\S+)$/i \| format("[Detection Link](%s)", field=FalconHostLink, as="Falcon UI Link") \| groupBy([aid, DetectId], function=([sum(Severity, as=SeveritySum), collect([ComputerName, detectID, "Falcon UI Link", SeverityName])]), limit=max) \| table([aid, ComputerName, detectID, SeverityName, SeveritySum, "Falcon UI Link"], limit=100, sortby=SeveritySum)	`Table`
Top Machine Domains with Endpoint Detections	Displays a table of top machine domains with endpoint detections and limits results to the first 100 entries. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| MachineDomain!="" \| top(MachineDomain, limit=100) \| count:=rename(_count)`	`Table`
Total Detections	Total number of unique endpoint detections. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| count(DetectId, distinct=true, as="Total Detections")`	`Single Value`
Total Behaviors	Total number of behaviors detected (note: a single detection can contain multiple behaviors). Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| count(AgentIdString, as="Total Behaviors")`	`Single Value`
Potential Preventions	Actions Falcon would have blocked had the requisite prevention policy setting been enabled. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| PatternDispositionDescription=/would\shave/i \| count(DetectId)`	`Single Value`
Falcon Action by Severity	Falcon action taken by detection severity. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| wildcard(field=MachineDomain, pattern=?MachineDomain, ignoreCase=true) \| PatternDispositionDescription=/(?<preventStatus>^(Prevention\|Detection))(\,\|\/).*/i \| sankey(source="preventStatus", target="SeverityName", weight=count(DetectId, distinct=true))	`Sankey`

Detections - File Vantage

Widget	Description	Type
File Integrity Alerts by User	Displays a chart of file integrity alerts by user. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| top(UserName, as="#alerts")`	`Bar Chart`
File Vantage Alerts	Displays a table of file vantage alerts and associated data. Hide Query Show Query logscale "#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| table([@timestamp,PolicyRuleSeverity, aid, UID, UserName, CommandLine, ImageFileName, ObjectChanged, ObjectOperation, ObjectName, ObjectNameNew])	`Table`
File Vantage Alerts by Criticality	Displays a list of File Vantage alerts by criticality (Low, Medium, High, and Critical). Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { PolicyRuleSeverity=1 \| Severity := "Low"; PolicyRuleSeverity=2 \| Severity := "Medium"; PolicyRuleSeverity=3 \| Severity := "High"; PolicyRuleSeverity=4 \| Severity := "Critical"; } \| groupBy(Severity)`	`Pie Chart`
File Integrity Alerts	Displays a chart of file integrity alerts in a 1 hour timespan. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| timechart(span=1h, function=count()) \| rename(_count, as="#alerts")`	`Time Chart`
File Integrity Alerts by Operation	Displays a list of file integrity alerts by operation, including create, write, delete, set, and rename. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectAccessOperationType = 1 \| ObjectOperation:= "Create"; ObjectAccessOperationType = 2 \| ObjectOperation:= "Write"; ObjectAccessOperationType = 3 \| ObjectOperation:= "Delete"; ObjectAccessOperationType = 4 \| ObjectOperation:= "Set"; ObjectAccessOperationType = 5 \| ObjectOperation:= "Rename";} \| groupBy(ObjectOperation) \| rename(_count, as="#alerts")`	`Bar Chart`
File Vantage Alerts by Platform	Displays a list of file vantage alerts by platform. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched \| groupBy(event_platform)`	`Pie Chart`
File Vantage Alerts by File Name	Displays a pie chart of file vantage alerts by file name. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w)$/ \| top(FileName, as="#alerts")`	`Pie Chart`
File Integrity Alerts by Object	Displays a list of file integrity alerts by object, including, 'file', 'folder', 'value', and 'key'. Hide Query Show Query logscale `"#event_simpleName"=FileIntegrityMonitorRuleMatched AND event_platform=?Platform \| case { ObjectType=1 \| ObjectChanged:= "File"; ObjectType=2 \| ObjectChanged:= "Folder"; ObjectType=3 \| ObjectChanged:= "Value"; ObjectType=4 \| ObjectChanged:= "Key";} \| groupBy(ObjectChanged) \| rename(_count, as="#alerts")`	`Bar Chart`

Detections - MITRE ATT&CK Evaluation

Widget	Description	Type
Tactic by Time	Displays a list of external API events and detection tactics over time and organized by agent ID. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy([Tactic, @timestamp], function=count(AgentIdString, as="DetectionCount"), limit=max) \| bucket(field="Tactic", buckets=42, limit=50)`	`Heat Map`
Top 25 Endpoints by Tactic	Displays a table of the top 25 endpoints by tactic. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| top([ComputerName, Tactic], limit=25) \| rename("_count", as="Detection Count")`	`Table`
Tactic Distribution	Displays a pie chart of tactic distribution. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy(Tactic, function=count(AgentIdString, as="DetectionCount"), limit=max)`	`Pie Chart`
Technique Distribution	Displays a list of events that summarize detection techniques by user ID. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy(Technique, function=count(AgentIdString, as="DetectionCount"), limit=max)`	`Pie Chart`
Tactic to Technique - Weighted by Severity	Displays a flow chart of event tactics and their associated technique, weighted by severity. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy([Tactic, Technique, Severity], function=count(AgentIdString, as="Weight"), limit=max) \| Weight:=Weight*Severity \| drop(Severity) \| sankey(source="Tactic", target="Technique", weight=sum(Weight))`	`Sankey`
Top 25 Endpoints by Technique	Displays a table of the top 25 API endpoints by technique and limits the results to the first 25 entries. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| top([ComputerName, Technique], limit=25) \| rename("_count", as="Detection Count")`	`Table`
Heatmap by Tactic and Technique	Displays a heat map by severity of tactic and technique data . Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy([Tactic, Technique, Severity], function=count(AgentIdString, as="Weight"), limit=max) \| Weight:=Weight*Severity \| drop(Severity)`	`Heat Map`
Top 25 Triggering Files by Tactic and Technique	Displays a table of the top 25 triggering files by tactic and technique and limits results to the first 25 entries. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| top([FileName, Tactic, Technique], limit=25) \| rename("_count", as="Detection Count")`	`Table`
Top 25 Tactic and Technique Combinations	Displays a list of tactic and technique combinations and limits them to the top 25 entries. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| top([Tactic, Technique], limit=25) \| rename("_count", as="Detection Count")`	`Table`
Tactic and Technique - Stacked	Displays a bar chart of external events and their tactic and technique data. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent \| ExternalApiType=Event_DetectionSummaryEvent \| Tactic!=/(^custom\|machine\slearning)/i Tactic!="" Technique=* \| groupBy([Tactic, Technique], function=count(AgentIdString, as="Weight"), limit=max) \| Weight:=Weight*Severity \| drop(Severity)`	`Bar Chart`

Health - Cloud Workload Protection

Widget	Description	Type
Pod Service Account Names	Displays a table of pod service account names. Hide Query Show Query logscale `#event_simpleName=PodInfo \| count(PodServiceAccountName, distinct=true)`	`Single Value`
Pod Detections by Name	Displays a pie chart of Kubernetes pod detections by name. Hide Query Show Query logscale `#kind=Primary #event_simpleName!=* \| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent \| groupBy(detectionName, limit=max)`	`Pie Chart`
Pod Detections by Severity	Displays a pie chart of Kubernetes pod detections by severity. Hide Query Show Query logscale `#kind=Primary #event_simpleName!=* \| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent \| groupBy(severity, limit=max)`	`Pie Chart`
Pod Namespaces	Displays a list of pod namespaces. Hide Query Show Query logscale `#event_simpleName=PodInfo \| count(field=PodNamespace, distinct=true)`	`Single Value`
Sensor List	Displays a table of sensors and limits results to the first 20,000 entries. Hide Query Show Query logscale `#event_simpleName=PodInfo \| join({#event_simpleName=OsVersionInfo}, field=aid, include=AgentVersion, limit=200000) \| groupBy(aid, function=selectLast([AgentVersion, PodName, PodNamespace, PodHostname]), limit=max)`	`Table`
Pod Detections	Displays a list of events in a user's Kubernetes pod. Hide Query Show Query logscale `#kind=Primary #event_simpleName!=* \| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent \| count(detectionName)`	`Single Value`
Sensor Locations	Displays a world map of sensor locations using pod information. Hide Query Show Query logscale `#event_simpleName=PodInfo \| worldMap(ip=aip, magnitude=count(aid))`	`World Map`
Detection Events	Displays a table of Kubernetes detection events with severity data and detection names then limits results to the first 1000 entries. Hide Query Show Query logscale `#kind=Primary #event_simpleName!=* \| eventType=K8SDetectionEvent OR EventType=K8SDetectionEvent \| "Detection Type":=format("%-18s %s", field=[severity, detectionName]) \| groupBy(resourceName, function=[collect(["Detection Type", clusterName], limit=1000), count(as="Total Events")], limit=max) \| sort("Total Events", limit=10000)`	`Table`
Linux Kernel Versions	Displays a list of OS version information and Linux kernel versions and sets the limit of entries to maximum. Hide Query Show Query logscale `#event_simpleName=PodInfo \| join({#event_simpleName=OsVersionInfo}, field=aid, include=OSVersionString, limit=200000) \| groupBy(aid, function=selectLast(OSVersionString), limit=max) \| OSVersionString = /^Linux\s(?<hostName>\S+)\s(?<kernelVersion>\S+)\s/i \| kernelVersion=/(?<kernelBranch>\d+\.\d+)\./ \| groupBy("kernelBranch", limit=max)`	`Bar Chart`
Total Pods	Displays the total number of pods. Hide Query Show Query logscale `#event_simpleName=PodInfo \| count(aid, distinct=true)`	`Single Value`

Health - Inventory of Installed Software

Widget	Description	Type
Product Versions	Displays a pie chart of product versions. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductVersion], as="count")`	`Pie Chart`
Product Names	Displays a chart of an application's associated product and company names. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| top([ProductName], as="count")`	`Bar Chart`
Software Inventory	Displays a table of software inventory and associated data (company name, product name, file version) in descending order. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| ProductName = ?ProductName \| groupBy([CompanyName, FileDescription, FileName, FileVersion, ProductName, ProductVersion], limit=max) \| rename(_count, as="count") \| sort([count,CompanyName, ProductName, FileVersion], order=desc)`	`Table`
Software Companies	Displays a list of software companies and application information. Hide Query Show Query logscale `#kind = "Secondary" SecondaryEventType = "appinfo" \| CompanyName = ?CompanyName \| top([CompanyName], as="count")`	`Bar Chart`

Health - Linux Sensors

Widget	Description	Type
Linux Sensor Status	Displays a pie chart of Linux sensor status by category including 'user mode', 'kernel mode', and 'RFM'. Hide Query Show Query logscale #event_simpleName=/^(OsVersionInfo\|ConfigStateUpdate\|SensorHeartbeat\|AgentOnline)$/ \| event_platform=Lin \| groupBy([cid, aid], function=([selectLast([ConfigStateData, OSVersionString, SensorStateBitMap, AgentVersion])]), limit=max) \| ConfigStateData match { /1400000000c4/ => isInUserMode:="1" ; * => isInUserMode:="0" ; } \| SensorStateBitMap match { 2 => isInRFM:="1" ; 0 => isInRFM:="0" ; } \| regex(regex="(?<VersionFamily>\\d+\\.\\d+)\\.", field=AgentVersion) \| case { test(VersionFamily >= 6.54) \| case { isInUserMode=1 isInRFM=1 \| Status:="RFM" ; isInUserMode=1 isInRFM=0 \| Status:="User Mode" ; isInUserMode=0 isInRFM=0 \| Status:="Kernel Mode" ; isInUserMode=0 isInRFM=1 \| Status:="RFM" ; } ; test(VersionFamily < 6.54) \| case { isInUserMode=1 isInRFM=1 \| Status:="User Mode" ; isInUserMode=0 isInRFM=0 \| Status:="Kernel Mode" ; isInUserMode=0 isInRFM=1 \| Status:="RFM" ; } ; * \| Status := "Unknown" ; } \| groupBy("Status", function=(count(aid, as="Count")), limit=max)	`Pie Chart`
Pod Namespaces	Displays a list of pod namespaces. Hide Query Show Query logscale `#event_simpleName=PodInfo \| count(field=PodNamespace, distinct=true)`	`Single Value`
Sensor List	Displays a table of sensors and limits results to the first 20,000 entries. Hide Query Show Query logscale `#event_simpleName=PodInfo \| join({#event_simpleName=OsVersionInfo}, field=aid, include=AgentVersion, limit=200000) \| groupBy(aid, function=selectLast([AgentVersion, PodName, PodNamespace, PodHostname]), limit=max)`	`Table`
Endpoints with Root Logons	Displays a table of endpoints with root logons then limits results to the first 1000 entries. Hide Query Show Query logscale `#event_simpleName=UserLogon \| event_platform=Lin UID=0 \| $"crowdstrike/fltr-core:zComputerName"() \| case { LogonType=2 \| LogonType:="Interactive" ; LogonType=10 \| LogonType:="SSH" ; * ; } \| groupBy([aid, ComputerName], function=([count(aid, as="Logon Count"), collect(LogonType, limit=1000)]), limit=max)`	`Table`
Linux Sensors in RFM	Displays a list of Linux sensors in RFM. Hide Query Show Query logscale `#event_simpleName=/^(OsVersionInfo\|ConfigStateUpdate\|SensorHeartbeat)$/ \| event_platform=Lin \| groupBy([cid, aid], function=([selectLast([ConfigStateData, OSVersionString, SensorStateBitMap])]), limit=max) \| ConfigStateData match { /1400000000c4/ => isInUserMode:="1" ; * => isInUserMode:="0" ; } \| SensorStateBitMap match { 2 => isInRFM:="1" ; 0 => isInRFM:="0" ; } \| isInRFM=1 AND isInUserMode=0 \| count(aid, distinct=true)`	`Single Value`
Top 10 SSH Destinations	Creates a table that details the top 10 SSH destinations by country and city. Hide Query Show Query logscale #event_simpleName=UserLogon \| event_platform=Lin LogonType=10 \| ipLocation(RemoteAddressIP4) \| Location:=format(format="%s, %s", field=[RemoteAddressIP4.country, RemoteAddressIP4.city]) \| case { Location="null, null" \| Location:="-" ; * ; } \| $"crowdstrike/fltr-core:zComputerName"() \| groupBy(["RemoteAddressIP4"], function=([count(aid, as="Connection Count"), collect([Location, ComputerName, LocalAddressIP4, aid], limit=1000)]), limit=10) \| "Destination SSH":=rename("RemoteAddressIP4") \| table([aid, ComputerName, Location, LocalAddressIP4, "Destination SSH", "Connection Count"], sortby="Connection Count", limit=1000)	`Table`
Sensor Locations	Displays a world map of sensor locations using pod information. Hide Query Show Query logscale `#event_simpleName=PodInfo \| worldMap(ip=aip, magnitude=count(aid))`	`World Map`
Linux Kernel Versions	Displays a list of OS version information and Linux kernel versions and sets the limit of entries to maximum. Hide Query Show Query logscale `#event_simpleName=PodInfo \| join({#event_simpleName=OsVersionInfo}, field=aid, include=OSVersionString, limit=200000) \| groupBy(aid, function=selectLast(OSVersionString), limit=max) \| OSVersionString = /^Linux\s(?<hostName>\S+)\s(?<kernelVersion>\S+)\s/i \| kernelVersion=/(?<kernelBranch>\d+\.\d+)\./ \| groupBy("kernelBranch", limit=max)`	`Bar Chart`
Top 10 Listening Ports	Displays a list of the top 10 listening ports in ascending order. Hide Query Show Query logscale `#event_simpleName=NetworkListenIP4 \| event_platform=Lin \| $"crowdstrike/fltr-core:zComputerName"() \| groupBy([aid, ComputerName, FileName, LocalAddressIP4, LocalPort], limit=max) \| match(file="crowdstrike/fltr-core/service-names-port-numbers.csv", field=LocalPort, include=ServiceName, ignoreCase=true, strict=false) \| sort(field=LocalPort, order=asc, limit=10) \| drop(_count)`	`Table`
Total Pods	Displays the total number of pods. Hide Query Show Query logscale `#event_simpleName=PodInfo \| count(aid, distinct=true)`	`Single Value`

Health - Monitor Deployment

Widget	Description	Type
Active Sensors	Displays a list of active sensors on a world map. Hide Query Show Query logscale `#event_simpleName="AgentOnline" \| worldMap(ip=aip)`	`World Map`
Number of Hosts	Displays a chart of the number of hosts online in a 6 hour timespan. Hide Query Show Query logscale `"#event_simpleName"=AgentOnline \| timechart(span=6h,function=count(field=aid,distinct=true)) \| rename(_count, as="#hosts")`	`Time Chart`
Hosts by Platform	Displays a pie chart of hosts by platform. Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true), limit=max)`	`Pie Chart`
Hosts by Platform	Displays a table of hosts by platform. Hide Query Show Query logscale `#kind=Secondary \| SecondaryEventType=aidmaster \| GroupBy(event_platform, function=count(field=aid, distinct=true, as="#hosts"))`	`Table`

OS - Windows Account Discovery

Widget	Description	Type
Windows net Usage by Flag (Sankey)	Displays a flowchart of Windows net usage by flag. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| event_platform=Win \| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i \| CommandLine=/\s+(?<netFlag>ACCOUNTS\|COMPUTER\|CONFIG\|CONTINUE\|FILE\|GROUP\|HELP\|HELPMSG\|LOCALGROUP\|NAME\|PAUSE\|PRINT\|SEND\|SESSION\|SHARE\|START\|STATISTICS\|STOP\|TIME\|USE\|USER\|VIEW)\s+/i \| netFileName:=lower("netFileName") \| netFlag:=lower(netFlag) \| sankey(source="netFileName", target="netFlag", weight=count(aid))`	`Sankey`
[T1087.002] Account Discovery - Domain Account	Displays a table of account discovery - domain account instances and associated data. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 \| event_platform=Win \| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i \| CommandLine=/\s+(?<netFlag>(GROUP\|USER))\s+/i \| CommandLine=/\/domain/i \| $"crowdstrike/fltr-core:zComputerName"() \| $"crowdstrike/fltr-core:zUrlFalconPid"() \| $"crowdstrike/fltr-core:zUrlFalconAid"() \| ProcessStartTime:=ProcessStartTime*1000 \| "Endpoint Time (UTC)":=formatTime("%Y-%m-%d %H:%M:%S", field=ProcessStartTime, locale=en_US, timezone=Z) \| table(["Endpoint Time (UTC)", aid, ComputerName, "Host Search", UserSid, "User Search", netFileName, netFlag, CommandLine, "Process Explorer", "Graph Explorer", "Spotlight", "RTR"], limit=1000)	`Table`
Windows Net Flag Usage by Week	Displays a chart of Windows net flag usage by week. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| event_platform=Win \| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i \| CommandLine=/\s+(?<netFlag>ACCOUNTS\|COMPUTER\|CONFIG\|CONTINUE\|FILE\|GROUP\|HELP\|HELPMSG\|LOCALGROUP\|NAME\|PAUSE\|PRINT\|SEND\|SESSION\|SHARE\|START\|STATISTICS\|STOP\|TIME\|USE\|USER\|VIEW)\s+/i \| netFileName:=lower("netFileName") \| netFlag:=lower(netFlag) \| timeChart(netFlag, function=count(aid))`	`Time Chart`
[T1087.001] Account Discovery - Local Account	Displays a table of local accounts using account discovery sub-technique T1087.001 and associated data. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 \| event_platform=Win \| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i \| CommandLine=/\s+(?<netFlag>(LOCALGROUP\|USER))\s+/i \| CommandLine!=/\/domain/i \| $"crowdstrike/fltr-core:zComputerName"() \| $"crowdstrike/fltr-core:zUrlFalconPid"() \| $"crowdstrike/fltr-core:zUrlFalconAid"() \| ProcessStartTime:=ProcessStartTime*1000 \| "Endpoint Time (UTC)":=formatTime("%Y-%m-%d %H:%M:%S", field=ProcessStartTime, locale=en_US, timezone=Z) \| table(["Endpoint Time (UTC)", aid, ComputerName, "Host Search", UserSid, "User Search", netFileName, netFlag, CommandLine, "Process Explorer", "Graph Explorer", "Spotlight", "RTR"], limit=1000) \| drop(["aid", UserSid])	`Table`
Windows net Usage by Flag	Displays a heat map of Windows net usage by flag. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| event_platform=Win \| ImageFileName=/\\(?<netFileName>net1?\.exe$)/i \| CommandLine=/\s+(?<netFlag>ACCOUNTS\|COMPUTER\|CONFIG\|CONTINUE\|FILE\|GROUP\|HELP\|HELPMSG\|LOCALGROUP\|NAME\|PAUSE\|PRINT\|SEND\|SESSION\|SHARE\|START\|STATISTICS\|STOP\|TIME\|USE\|USER\|VIEW)\s+/i \| netFileName:=lower("netFileName") \| netFlag:=lower(netFlag) \| groupBy([netFileName, netFlag], limit=max)`	`Heat Map`

OS - Windows User Logon Activity

Widget	Description	Type
Avg Password Age	Displays the average password age of a user in days. Hide Query Show Query logscale `#event_simpleName=UserLogon \| event_platform=Win \| UserSid="S-1-5-21-" \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true) \| passwordAge:=(now()-(PasswordLastSet1000))/1000/60/60/24 \| passwordAgeDays:=round("passwordAge") \| $"crowdstrike/fltr-core:zLogonTypeName"() \| passwordAgeDays:=avg("passwordAgeDays") \| round("passwordAgeDays")`	`Single Value`
Logon Trends by Logon Type	Displays a chart of logon trends by logon type. Hide Query Show Query logscale `#event_simpleName=UserLogon \| event_platform=Win \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true) \| $"crowdstrike/fltr-core:zLogonTypeName"() \| timeChart(LogonTypeName, function=count(UserSid))`	`Time Chart`
Logon Table	Displays a table of logons by user ID and age of password. Hide Query Show Query logscale #event_simpleName=UserLogon \| event_platform=Win \| UserSid="S-1-5-21-" \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true) \| passwordAge:=(now()-(PasswordLastSet1000))/1000/60/60/24 \| passwordAgeDays:=round("passwordAge") \| $"crowdstrike/fltr-core:zLogonTypeName"() \| case { UserIsAdmin="0" \| UserIsAdmin:="No" ; UserIsAdmin="1" \| UserIsAdmin:="Yes" ; * ; } \| case { RemoteAccount="0" \| RemoteAccount:="No" ; RemoteAccount="1" \| RemoteAccount:="Yes" ; * ; } \| LogonTime:=LogonTime*1000 \| LogonTime:=formatTime("%Y-%m-%d %H:%M:%S", field=LogonTime, locale=en_US, timezone=Z) \| table([LogonTime, ClientComputerName, UserName, passwordAgeDays, UserSid, LogonTypeName, LogonDomain, LogonServer, RemoteAccount, UserIsAdmin], limit=1000)	`Table`
Stale Passwords	Passwords over 365 days old. Hide Query Show Query logscale `#event_simpleName=UserLogon \| event_platform=Win \| UserSid="S-1-5-21-" \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true) \| passwordAge:=(now()-(PasswordLastSet1000))/1000/60/60/24 \| passwordAgeDays:=round("passwordAge") \| $"crowdstrike/fltr-core:zLogonTypeName"() \| passwordAgeDays>365 \| count(UserSid, distinct=true)`	`Single Value`
RDP Connections by Destination IP	Create a map of RDP connections of users based on their destination IP address. Hide Query Show Query logscale `#event_simpleName=UserLogon \| LogonType=10 \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| RemoteAddressIP4=* \| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"]) \| ipLocation(RemoteAddressIP4) \| worldMap(ip=RemoteAddressIP4, magnitude=count(aid))`	`World Map`
SID Collisions	Displays a list of SID collisions by user ID and limits results to the first 1000 entries. Hide Query Show Query logscale `#event_simpleName=UserLogon \| event_platform=Win UserSid=/^S\-1\-5\-21\-.*/ \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| wildcard(field=LogonType, pattern=?LogonType, ignoreCase=true) \| lowercase("UserName") \| groupby(UserSid, function=([count(UserName, distinct=true), collect(UserName, limit=1000)]), limit=max) \| _count>1 \| count(UserSid)`	`Single Value`
Endpoint Location by External IP	Displays a world map of endpoint locations by external IP. Hide Query Show Query logscale `#event_simpleName=UserLogon \| LogonType=2 \| wildcard(field=UserIsAdmin, pattern=?UserIsAdmin, ignoreCase=true) \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) \| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"]) \| ipLocation(aip) \| worldMap(ip=aip, magnitude=count(aid))`	`World Map`

Search - Acquire Host Details

Widget	Description	Type
Firewall Rules Set	Displays a table of set firewall rules and associated data (name, protocol, computer name, app name, direction, profile, etc.) Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=FirewallSetRule \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("App=(?<App>(.?))\\|", field=FirewallRule, strict=false) \| regex("Action=(?<Action>(.?))\\|", field=FirewallRule, strict=false) \| regex("Active=(?<Active>(.?))\\|", field=FirewallRule, strict=false) \| regex("Profile=(?<Profile>(.?))\\|", field=FirewallRule, strict=false) \| regex("Protocol=(?<Protocol>(.?))\\|", field=FirewallRule, strict=false) \| regex("Dir=(?<Dir>(.?))\\|", field=FirewallRule, strict=false) \| regex("LPort=(?<LPort>(.?))\\|", field=FirewallRule, strict=false) \| regex("RPort=(?<RPort>(.?))\\|", field=FirewallRule, strict=false) \| regex("Desc=(?<Description>(.?))\\|", field=FirewallRule, strict=false) \| regex("Name=(?<Name>(.?))\\|", field=FirewallRule, strict=false) \| regex("(?<FileName>[^\\\]+$)", field=App, strict=false) \| Protocol match { "1" => Protocol:="ICMP" ; "6" => Protocol:="TCP" ; "17" => Protocol:="UDP" ; "58" => Protocol:="IPv6-ICMP" ; * => * ; } \| groupBy([@timestamp, RpcClientProcessId, Name, Protocol, ComputerName, App, Direction, Profile, LPort, RPort, FileName, Direction], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Network Connection Destinations	Displays a world map of network connection destinations by IP address. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| worldMap(ip=RemoteAddressIP4)`	`World Map`
Powershell Activities	Displays a table of PowerShell activities and their associated data, then limits results to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=/^(ProcessRollup2\|SyntheticProcessRollup2)$/ \| ImageFileName=/\\powershell(_ise)?\.exe/i \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false) \| groupBy([@timestamp, ComputerName, UserSid, ParentProcessId, RawProcessId, TargetProcessId, CommandLine, aid], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Cloud Instance Info	Displays a table of cloud instance information then limits results to the first 1000 entries. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=InstanceMetadata \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| kvParse(field=InstanceMetadata, separator=":") \| groupBy([aid, ComputerName, privateIp, accountId, instanceId, instanceType, imageId, availabilityZone], limit=1000) \| drop([_count])`	`Table`
Parent to Child Process	Displays a flow chart of the parent file to child file process. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| sankey(source=ParentBaseFileName, target=ImageFileName)`	`Sankey`
Network Connections	Displays a table of network connections and their details, including timestamp, IP address, port data, etc. and limits results to the first 1000 entries. Hide Query Show Query logscale #cid = ?cid \| #event_simpleName=/^(ProcessRollup2\|NetworkConnectIP4)$/ \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| #event_simpleName match { ProcessRollup2 => pid:=TargetProcessId ; NetworkConnectIP4 => pid:=ContextProcessId ; * => * ; } \| groupBy([aid, pid], function= [ // Extract the path of the process { #event_simpleName=ProcessRollup2 \| selectLast([@timestamp, ImageFileName, CommandLine]) }, // Extract the domain name { #event_simpleName=NetworkConnectIP4 \| groupBy([RemoteAddressIP4, RemotePort, LocalPort], limit=max) \| drop(_count) } ], limit=max) \| RemoteAddressIP4=* \| ImageFileName= /(\/\|\\)(?<FileName>\w\.?\w)$/i \| groupBy([@timestamp, RemoteAddressIP4, LocalPort, RemotePort, pid, FileName, CommandLine], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Command History	Displays a table of a user's command history then limits the results to the first 1000 entries. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=CommandHistory \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| replace("¶", with="\n", field=CommandHistory) \| table([@timestamp, ApplicationName, CommandCount, CommandHistory], limit=1000) \| sort(@timestamp, limit=1000)`	`Table`
Listening Ports	Displays a table of ports that are listening and associated data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4 \| aid=?aid \| test(?aid != "") // We essentially want to join the ContextProcessId of the network events // with the TargetProcessId of the ProcessEvents, so we create a new // field 'pid' on which we can do a groupby. \| #event_simpleName match { ProcessRollup2 => pid := TargetProcessId; NetworkListenIP4 => pid := ContextProcessId; } // Group by the agent ID and for each group, group by the 'pid' field. \| groupBy("aid", function=[ { groupBy("pid", function=[ // Extract the ImageFileName field. { #event_simpleName="ProcessRollup2" \| selectLast([ImageFileName]) }, // Extract up to 200 rows of the LocalAddressIP4 and LocalPort // fields. { #event_simpleName="NetworkListenIP4" \| table([LocalAddressIP4, LocalPort]) } ], limit=max) } ], limit=max) \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) // Filter off results that do not have the below fields. \| LocalAddressIP4= AND LocalPort=* AND ImageFileName=* // Present the results. \| table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)	`Table`
Uniqe ASEP Values Updated	Displays a list of unique ASEP values that have been updated. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=AsepValueUpdate \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(RegValueName, distinct=true)`	`Single Value`
Unique Browser-Injected Threads	Displays the number of unique browser-injected threads by computer name. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=BrowserInjectedThread \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(TargetThreadId, distinct=true)`	`Single Value`
Top DNS Requests	Displays a list of top DNS requests by domain name. Hide Query Show Query logscale `#event_simpleName=DnsRequest \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| top(DomainName) \| rename(_count, as="#requests")`	`Table`
Falcon Links	Displays a table of real time response data including user search, zero trust assessment data, etc. then limits the results to the first 10 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| $"crowdstrike/fltr-core:zUrlFalconAid"() \| head(1) \| rename(field="RTR", as="Real Time Response") \| replace("\[RTR\]", with="\[Real Time Response\]", field="Real Time Response") \| table(["Real Time Response", "User Search", "Zero Trust Assessment", "Spotlight", "Host Management", "Host Search"], limit=10)	`Table`
Scripts Written	Displays a table of scripts written and limits results to the first 1000 entries. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=NewScriptWritten \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false) \| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, size], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)`	`Table`
Manual Registry Additions	Displays a list of manual registry additions and groups them by user ID, file name, etc. then sorts them by time stamp and limits to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2 \| ImageFileName=/reg.exe/i \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false) \| groupBy([@timestamp, UserSid, FileName, CommandLine, ParentBaseFileName], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Unique ASEP Keys Updated	Displays a list of ASEP keys that have been updated. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=AsepKeyUpdate \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(RegObjectName, distinct=true)`	`Single Value`
Host Info	Displays a table of host information including city, country, product type, version, etc. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #kind=Secondary \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| $"crowdstrike/fltr-core:zUrlFalconAid"() \| ipLocation(field=aip, as=aip) \| groupBy(aid, function=collect([ComputerName, RTR, aip, aip.city, aip.country, ProductType, Version, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, MachineDomain, AgentVersion, aid, #cid], limit=100), limit=1000) \| drop(_count)	`Table`
Java Injected Threads	Displays a list of Java injected threads. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=JavaInjectedThread \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(TargetThreadId, distinct=true)`	`Single Value`
Files Written to Removable Media	Displays files that have been written to a removable media source. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=FileWritten \| IsOnRemovableDisk=1 \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false) \| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, Size], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Event List`
User Logons	Displays a table of user logons by type with additional data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=UserLogon \| test(?aid != "") \| aid=?aid AND #cid = ?cid \| case { LogonType="2" \| Logon_Type:="Interactive"; LogonType="3" \| Logon_Type:="Network"; LogonType="4" \| Logon_Type:="Batch"; LogonType="5" \| Logon_Type:="Service"; LogonType="6" \| Logon_Type:="Proxy"; LogonType="7" \| Logon_Type:="Unlock"; LogonType="8" \| Logon_Type:="Network clear text"; LogonType="9" \| Logon_Type:="New Credentials"; LogonType="10" \| Logon_Type:="RDP"; LogonType="11" \| Logon_Type:="Cached Credentials"; LogonType="12" \| Logon_Type:="Auditing"; LogonType="13" \| Logon_Type:="Unlock Workstation";} \| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)	`Table`
Schedule Tasks	Displays a table of scheduled tasks with associated data (username, task name, command data, and arguments). Hide Query Show Query logscale `#event_simpleName=ScheduledTaskRegistered \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])`	`Table`
Network Connections Count	Displays a list of IP4 network connections. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| !regex("^(10\|172\.16\|192\.168)\.", field=RemoteAddressIP4) \| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4) \| top([RemoteAddressIP4, RemoteAddressIP4.country]) \| rename(_count, as="#connections")`	`Table`
Local and External IPs	Displays a table of local and external IP addresses and limits results to the first 100 entries. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=/^(NetworkConnectIP4\|NetworkReceiveAcceptIP4\|LocalIpAddressIP4)$/ \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| LocalAddressIP4=* \| groupBy(PhysicalAddress, function=[collect([LocalAddressIP4, aip, InterfaceAlias], limit=100)], limit=max)`	`Table`
Detections	Displays a list of API event detections. Hide Query Show Query logscale `ExternalApiType=Event_DetectionSummaryEvent \| test(?aid != "*") \| AgentIdString = ?aid AND CustomerIdString = ?cid \| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)`	`Table`
Admin Tools	Displays a table of admin tools associated with an event and related data, then limits results to the first 1000 entries. Hide Query Show Query logscale #cid = ?cid \| #event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2 \| CommandLine=* ImageFileName=* \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false) \| match(file="crowdstrike/fltr-core/recon_apps.csv", field=FileName, include=FileName, ignoreCase=true, strict=true) \| groupBy([@timestamp, UserSid, FileName, TargetProcessId, CommandLine, aid], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Packed Executable Written	Displays a list of packed executables that have been written. Hide Query Show Query logscale `#event_simpleName=PackedExecutableWritten \| test(?aid != "*") \| #cid = ?cid AND aid=?aid \| count()`	`Single Value`
BIOS Information	Retrieves detailed BIOS information, then summarizes based on computer name, system manufacturer, release date, BIOS version, etc. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=/^(AgentOnline\|FirmwareImageAnalyzed\|FirmwareImageCheck)$/ \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| groupBy([aid, ComputerName, SystemManufacturer, BiosReleaseDate, BiosVersion, SHA256HashData], limit=1000) \| drop([_count])`	`Table`
Running Services (started during selected time range)	Displays a table of services that started running during a selected time range, then limits results to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=ServiceStarted \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=ImageFileName, strict=false) \| groupBy([@timestamp, ComputerName, UserName, TargetProcessId, ServiceDisplayName, CommandLine, SHA256HashData, aid], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Processes Executions	Displays a list of events and the processes executed. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| (#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2) \| ImageFileName=/(\/\|\\)(?<FileName>\w\.?\w)$/i \| rename(field=ImageFileName, as=OriginalFileName) \| rename(field=CommandLine, as=OriginalCommandLine) \| tail(1000) \| $"crowdstrike/fltr-core:zUrlFalconPid"() \| groupBy([@timestamp, ComputerName, FileName, OriginalCommandLine, TargetProcessId, MD5HashData, ParentBaseFileName, ParentProcessId, aid], function=collect(["Process Explorer"]), limit=1000) \| sort(@timestamp, limit=1000)	`Table`
Injected Threads From Unsigned Modules	Displays a list of injected threads from unsigned modules. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=InjectedThreadFromUnsignedModule \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(TargetThreadId, distinct=true)`	`Single Value`
Unique Executables Written	Displays a list of unique executables written using SHA256 hash data. Hide Query Show Query logscale `#event_simpleName=PeFileWritten \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| count(SHA256HashData, distinct=true)`	`Single Value`
Executable Activities	Displays a table of executable activities (deleted, renamed, added) and limits results to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=/^(ExecutableDeleted\|NewExecutableRenamed\|NewExecutableWritten\|PeFileWritten)$/ \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false) \| tail(200) \| #event_simpleName match { "ExecutableDeleted" => Action:="Deleted" ; "NewExecutableRenamed" => Action:="Renamed" ; "NewExecutableWritten" => Action:="Added" ; "PeFileWritten" => Action:="Added" ; } \| tail(1000) \| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, Action], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Detections Links	Displays a table of detection links and additional relevant data, then limits results to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| ExternalApiType=Event_DetectionSummaryEvent \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| format("[Detection Link](%s)", field=["FalconHostLink"], as="DetectionLink") \| groupBy([@timestamp, DetectId], function=[collect([DetectionLink, FileName, DetectName, Severity, SeverityName, ComputerName, UserName, MD5String, SHA256String], limit=100)], limit=1000) \| drop(DetectId) \| sort(@timestamp, limit=1000)	`Table`
Unique DLL Injections	Displays a list of unique DLL injections. Hide Query Show Query logscale `wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=DLLInjections \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| count(TargetThreadId, distinct=true)`	`Single Value`
Rar / Zip File Written	Displays a table of RAR/zip files written and associated data then limits results to the first 1000 entries. Hide Query Show Query logscale wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| #event_simpleName=/^(RarFileWritten\|SevenZipFileWritten\|ZipFileWritten)$/ \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| tail(1000) \| regex("(?<FileName>[^/\\\]+$)", field=TargetFileName, strict=false) \| groupBy([@timestamp, ContextProcessId, FileName, LocalAddressIP4, TargetFileName, size], limit=1000) \| drop(_count) \| sort(@timestamp, limit=1000)	`Table`
Host Information	Displays a table of host information, including computer name, agent version, etc.) Hide Query Show Query logscale `#event_simpleName=AgentOnline \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| ipLocation(field=aip, as=aip) \| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max) \| drop(_count)`	`Table`

Search - By AgentId

Widget	Description	Type
Services Started	Displays a table of services started on Windows platform and limits results to the first 200 entries. Hide Query Show Query logscale `#event_simpleName=ServiceStarted AND event_platform=Win \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([@timestamp, UserName, ServiceDisplayName, CommandLine], limit=200)`	`Table`
Network Connection Destinations	Displays a world map of network connection destinations by IP address. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| worldMap(ip=RemoteAddressIP4)`	`World Map`
Listening Ports	Displays a table of ports that are listening and associated data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 OR #event_simpleName=NetworkListenIP4 \| aid=?aid \| test(?aid != "") // We essentially want to join the ContextProcessId of the network events // with the TargetProcessId of the ProcessEvents, so we create a new // field 'pid' on which we can do a groupby. \| #event_simpleName match { ProcessRollup2 => pid := TargetProcessId; NetworkListenIP4 => pid := ContextProcessId; } // Group by the agent ID and for each group, group by the 'pid' field. \| groupBy("aid", function=[ { groupBy("pid", function=[ // Extract the ImageFileName field. { #event_simpleName="ProcessRollup2" \| selectLast([ImageFileName]) }, // Extract up to 200 rows of the LocalAddressIP4 and LocalPort // fields. { #event_simpleName="NetworkListenIP4" \| table([LocalAddressIP4, LocalPort]) } ], limit=max) } ], limit=max) \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) // Filter off results that do not have the below fields. \| LocalAddressIP4= AND LocalPort=* AND ImageFileName=* // Present the results. \| table([aid, ComputerName, ImageFileName, LocalAddressIP4, LocalPort], limit=200)	`Table`
Top DNS Requests	Displays a list of top DNS requests by domain name. Hide Query Show Query logscale `#event_simpleName=DnsRequest \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| top(DomainName) \| rename(_count, as="#requests")`	`Table`
Heatmap: Tactics and Techniques	Displays a heat map of tactics and techniques used in detected events. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent Tactic!=/^custom/i Tactic!="" \| wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| wildcard(field=AgentIdString, pattern=?aid, ignoreCase=true) \| Tactic=* \| Technique=* \| groupBy([Tactic, Technique], function=count(AgentIdString, as="Detection Count"), limit=max)`	`Heat Map`
Top DNS IOC Hits	Displays a table of top DNS IOC hits by domain name. Hide Query Show Query logscale `#event_simpleName=DnsRequest \| wildcard(field=#cid, pattern=?cid, ignoreCase=true) \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| ioc:lookup(DomainName, type=domain, confidenceThreshold=unverified) \| ioc[0].labels=/^(?<iocActor>Actor\/.*?)\,/ \| top([DomainName, iocActor]) \| rename(_count, as="Total Requests")`	`Table`
Detections: Map Tactic Technique	Displays a flow chart of detections by tactic and technique. Hide Query Show Query logscale `EventType=Event_ExternalApiEvent \| test(?aid != "*") \| AgentIdString = ?aid #cid = ?cid \| sankey(target=Tactic, source=Technique)`	`Sankey`
User Logons	Displays a table of user logons by type with additional data, then limits results to the first 200 entries. Hide Query Show Query logscale #event_simpleName=UserLogon \| test(?aid != "") \| aid=?aid AND #cid = ?cid \| case { LogonType="2" \| Logon_Type:="Interactive"; LogonType="3" \| Logon_Type:="Network"; LogonType="4" \| Logon_Type:="Batch"; LogonType="5" \| Logon_Type:="Service"; LogonType="6" \| Logon_Type:="Proxy"; LogonType="7" \| Logon_Type:="Unlock"; LogonType="8" \| Logon_Type:="Network clear text"; LogonType="9" \| Logon_Type:="New Credentials"; LogonType="10" \| Logon_Type:="RDP"; LogonType="11" \| Logon_Type:="Cached Credentials"; LogonType="12" \| Logon_Type:="Auditing"; LogonType="13" \| Logon_Type:="Unlock Workstation";} \| table([@timestamp, UserName, LogonDomain, Logon_Type, UserIsAdmin], limit=200)	`Table`
Schedule Tasks	Displays a table of scheduled tasks with associated data (username, task name, command data, and arguments). Hide Query Show Query logscale `#event_simpleName=ScheduledTaskRegistered \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| table([UserName, TaskName, TaskExecCommand, TaskExecArguments])`	`Table`
Network Connections Count	Displays a list of IP4 network connections. Hide Query Show Query logscale `#event_simpleName=NetworkConnectIP4 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| !regex("^(10\|172\.16\|192\.168)\.", field=RemoteAddressIP4) \| ipLocation(field=RemoteAddressIP4, as=RemoteAddressIP4) \| top([RemoteAddressIP4, RemoteAddressIP4.country]) \| rename(_count, as="#connections")`	`Table`
Detections	Displays a list of API event detections. Hide Query Show Query logscale `ExternalApiType=Event_DetectionSummaryEvent \| test(?aid != "*") \| AgentIdString = ?aid AND CustomerIdString = ?cid \| groupby([UserName, FileName, DetectName, DetectDescription, SeverityName], function=[count(as=DetectionCount)], limit=max)`	`Table`
Packed Executable Written	Displays a list of packed executables that have been written. Hide Query Show Query logscale `#event_simpleName=PackedExecutableWritten \| test(?aid != "*") \| #cid = ?cid AND aid=?aid \| count()`	`Single Value`
Unique Executables Written	Displays a list of unique executables written using SHA256 hash data. Hide Query Show Query logscale `#event_simpleName=PeFileWritten \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| count(SHA256HashData, distinct=true)`	`Single Value`
Processes	Displays a table of processes by file name and limits results to the first 200 entries. Hide Query Show Query logscale `#event_simpleName=ProcessRollup2 \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| table([@timestamp, FileName, CommandLine, ParentBaseFileName], limit=200)`	`Table`
Host Information	Displays a table of host information, including computer name, agent version, etc.) Hide Query Show Query logscale `#event_simpleName=AgentOnline \| test(?aid != "*") \| aid=?aid AND #cid = ?cid \| ipLocation(field=aip, as=aip) \| groupby([ComputerName, AgentVersion, aip, aip.country, aip.city, BiosManufacturer, BiosVersion, ChassisManufacturer, SystemManufacturer, SystemProductName, aid], limit=max) \| drop(_count)`	`Table`
Workflow Note	Dashboard does not return results by default. You must input an `aid` into the parameter. The default time range is 7 days.	`Note`

Search - By DNS

Widget	Description	Type
Domain Lookup Summary	Displays a domain lookup summary with associated data sorted by number of hosts, then limits the results to the first 200 entries. Hide Query Show Query logscale /* * This query gives a summary of the domain(s) ('DomainName' * parameterized by '?DomainName') * It can also give a summary of all the hosts that a specific / #event_simpleName="DnsRequest" \| DomainName = ?DomainName \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| groupBy(DomainName, function=[ { selectLast([ContextTimeStamp, ComputerName]) \| rename(ContextTimeStamp, as=LastLookup) \| rename(ComputerName, as=LastLookupBy) }, { select([ContextTimeStamp, ComputerName]) \| head(1) \| rename(ContextTimeStamp, as=FirstLookup) \| rename(ComputerName, as=FirstLookupBy) \| drop(@timestamp) }, { count(ComputerName, as=NumberOfHosts, distinct=true) } ], limit=max) \| LastLookup := LastLookup 1000 \| FirstLookup := FirstLookup * 1000 \| LastLookup := formatTime(field=LastLookup, format="%Y/%m/%d %H:%M:%S") \| FirstLookup := formatTime(field=FirstLookup, format="%Y/%m/%d %H:%M:%S") \| table([DomainName, NumberOfHosts, FirstLookup, FirstLookupBy, LastLookup, LastLookupBy], limit=200, sortby=NumberOfHosts) \| rename(NumberOfHosts, as="#hosts")	`Table`
Process and Domain Details	Displays a table of specific processes and their domain details from a specific agent ID or ComputerName. Hide Query Show Query logscale /* * This query provices details of specific processes that resolve a * specific domain ('DomainName', parameterized by '?DomainName') and that are * run from a specific agent ID ('aid', parameterized '?aid') or ComputerName (?ComputerName). * This query will only return results if either ?DomainName and ?aid / ?ComputerName is specified. / #event_simpleName="ProcessRollup2" OR #event_simpleName="DnsRequest" \| test(?DomainName != "") \| aid=?aid \| case { test(?aid == "") \| test(?ComputerName == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) // We wish to join the ContextProcessId of the DnsRequest events to the // TargetProcessId of the ProcessRollup2 events, so we collect them both // in a field 'pid' that we can then group on. \| #event_simpleName match { "ProcessRollup2" => pid := TargetProcessId; "DnsRequest" => pid := ContextProcessId; } // Group the agent IDs, and for each group group by the 'pid' field. \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName) \| groupBy("pid", function= [ // Extract the latests ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, and SHA256HashData fields. { #event_simpleName="ProcessRollup2" \| selectLast([aid, ComputerName, ProcessStartTime, ContextProcessId, ImageFileName, MD5HashData, SHA256HashData]) }, // Extract the DomainName for each 'pid'. { #event_simpleName="DnsRequest" AND DomainName=?DomainName \| groupBy(DomainName) \| drop(["_count"]) } ], limit=max) // Remove entries that have no domain name or process start time. \| DomainName = * AND ProcessStartTime = * \| ComputerName = ?ComputerName // Make the process start time human-readable. \| ProcessStartTime := ProcessStartTime*1000 \| ProcessStartTime := formatTime(field=ProcessStartTime, format="%Y/%m/%d %H:%M:%S") // Present the results. \| table([ProcessStartTime, pid, DomainName, ComputerName, aid, ImageFileName, MD5HashData, SHA256HashData], limit=200)	`Table`
Number of Hosts hitting the domain	Displays a list of the number of distinct hosts hitting the domain. Query results will only be provided if ?DomainName is specified. Hide Query Show Query logscale `/** * This counts the number of distinct hosts ('ComputerName') that * resolved a specific domain ('DomainName', parametrized by '?DomainName'). * This query will only return results if ?DomainName is specified. / #event_simpleName=DnsRequest \| test(?DomainName != "") \| aid=?aid \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName=?ComputerName \| count(ComputerName, distinct=true)`	`Single Value`
Domain Lookups by Host	Displays a list of distinct hosts and the number of lookup requests they made. Hide Query Show Query logscale `/** * This lists the distinct hosts ('ComputerName') that resolve a specific * domain ('DomainName', parametrized by '?DomainName') and how many requests * they made. / #event_simpleName=DnsRequest \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| DomainName = ?DomainName \| groupBy([ComputerName, DomainName], limit=max) \| DomainName = \| top(ComputerName, sum=_count, as="# lookups")`	`Bar Chart`
Total DnsRequest Events Over Time	Displays a chart of all DNS requests over a given time frame by domain name Hide Query Show Query logscale `#event_simpleName="DnsRequest" \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| wildcard(field=DomainName, pattern=?DomainName, ignoreCase=true) \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| timeChart(function=count()) \| rename(_count, as="Total Requests")`	`Time Chart`
Top DnsRequest Events by DomainName	Displays a list of requested DNS events by domain name and limits results to the first 10 entries. Hide Query Show Query logscale `#event_simpleName="DnsRequest" \| wildcard(field=aid, pattern=?aid, ignoreCase=true) \| wildcard(field=DomainName, pattern=?DomainName, ignoreCase=true) \| $"crowdstrike/fltr-core:zComputerName"() \| wildcard(field=ComputerName, pattern=?ComputerName, ignoreCase=true) \| timeChart(DomainName, limit=10) \| rename(_count, as="Total Requests")`	`Time Chart`
Workflow Details	`DomainName` is required as an input parameter. `DomainName` should be lower-case. Wildcards can be used for `DomainName`, e.g. `crowdstrike`. `aid` and `ComputerName` can be used to further refine the results.	`Note`

Search - By File Hash

Widget	Description	Type
File Execution Details (Specify FileName or SHA256)	Displays a list of file execution details by file name or SHA256 and limits results to the first 20,000 entries. Hide Query Show Query logscale `// This query will only return results if at least one of ?FileName or ?SHA256 is specified. case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| #event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ImageFileName, CommandLine], limit=20000)`	`Table`
File Execution by Host	Displays a pie chart of file executions by host, limited to the first 25 entries. Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written by Hosts	Displays a pie chart of files written by hosts, limited to the first 25 entries. Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| match(file="fdr_aidmaster.csv", field=aid, column=aid, include=ComputerName, strict=true) \| top(field=ComputerName,limit=25)`	`Pie Chart`
File Written Details (Specify ComputerName)	This widget only shows result if a ComputerName is specified) Hide Query Show Query logscale `#event_simpleName="FileWritten" AND SHA256HashData = ?SHA256 \| test(?ComputerName != "") \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| ComputerName = ?ComputerName \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| table([@timestamp, aid, ComputerName, TargetFileName], limit=200)`	`Table`
Written on Distinct Hosts	Displays a list of files written on distinct hosts. Hide Query Show Query logscale `#event_simpleName="*FileWritten" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=false) \| regex(field=TargetFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName,distinct=true)`	`Single Value`
Execution Activity	Displays a chart of execution activity. Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Activity"))`	`Time Chart`
Execution History (Specify FileName or SHA256)	Display a table of execution history including execution date/time and file name, organizes it by host, and limits to the top 199 entries. Note that this query will only return results if at least one of ?FileName or ?SHA256 is specified. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 AND SHA256HashData = ?SHA256 // This query will only return results if at least one of ?FileName or ?SHA256 is specified. \| case { test(?FileName == "") \| test(?SHA256 == "") \| runQuery:=false; * \| runQuery:=true; } \| test(runQuery == true) \| drop(runQuery) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| groupby([SHA256HashData, FileName], function=[ count(aid, as="#hosts", distinct=true), { selectLast([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=LastExecutionDateTime) \| rename(aid, as=LastExecutedOn) }, { head(1) \| select([ProcessStartTime, aid]) \| rename(ProcessStartTime, as=FirstExecutionDateTime) \| rename(aid, as=FirstExecutedOn) } ], limit=max) \| LastExecutionDateTime := LastExecutionDateTime1000 \| FirstExecutionDateTime := FirstExecutionDateTime1000 \| LastExecutionDateTime := formatTime(field=LastExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| FirstExecutionDateTime := formatTime(field=FirstExecutionDateTime, format="%Y/%m/%d %H:%M:%S") \| drop(@timestamp) \| table([SHA256HashData, FileName, "#hosts", FirstExecutedOn, FirstExecutionDateTime, LastExecutedOn, LastExecutionDateTime], limit=199, sortby="#hosts")	`Table`
Number of Hosts Executing File	Displays the number of hosts executing a specific program that have been identified as suspicious. Hide Query Show Query logscale `#event_simpleName="ProcessRollup2" AND SHA256HashData = ?SHA256 \| match(field=aid, file="fdr_aidmaster.csv", column=aid, include=ComputerName, strict=true) \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| count(field=ComputerName, distinct=true)`	`Single Value`
Unique Host Executions	Displays a chart of unique host executions over time. Hide Query Show Query logscale `#event_simpleName = "ProcessRollup2" AND SHA256HashData = ?SHA256 \| regex(field=ImageFileName, regex="(?<FileName>[^/\\\]+$)") \| FileName = ?FileName \| timeChart(function=count(as="Hosts", field=aid, distinct=true))`	`Time Chart`
Workflow Note	# Workflow Start by entering a file name or a SHA256 to see results for 'Execution History', File Execution Details', and 'File Written Details'.	`Note`

Search - By IP Address

Widget	Description	Type
IP Location (GeoIP)	Displays a world map of IP locations based on IP-based geolocation. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| ipLocation(RemoteAddressIP4) \| worldMap(lat=RemoteAddressIP4.lat, lon=RemoteAddressIP4.lon)	`World Map`
Process Executions	Displays a table of process executions and limits results to the first 1000 entries. Hide Query Show Query logscale #event_simpleName=ProcessRollup2 OR (#event_simpleName=NetworkConnectIP4 RemoteAddressIP4=?RemoteAddressIP4) \| falconPID:=TargetProcessId \| falconPID:=ContextProcessId \| selfJoinFilter([aid, falconPID], where=[{#event_simpleName=ProcessRollup2}, {#event_simpleName=NetworkConnectIP4}], prefilter=true) \| regex("^.+(\\\\|\/)(?<FileName>.+)$", field=ImageFileName, strict=false) \| groupBy([aid, falconPID], function=([min(ProcessStartTime, as=ProcessStartTime), count(#event_simpleName, distinct=true, as=eventCount), collect([ParentBaseFileName, FileName, CommandLine, RemoteAddressIP4], limit=1000)]), limit=max) \| eventCount>1 \| shortCommandLine:=format("%,.100s", field=CommandLine) \| $"crowdstrike/fltr-core:zComputerName"() \| ProcessStartTime:=ProcessStartTime*1000 \| timestamp:=formatTime(format="%c", field=ProcessStartTime) \| table([timestamp, aid, ComputerName, ParentBaseFileName, FileName, RemoteAddressIP4, shortCommandLine], limit=1000)	`Table`
Connection Count	Displays a table of network connections then limits results to the first 1000 entries. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| groupBy([#event_simpleName], limit=max) \| rename(field="_count", as="Connection Count") \| table([#event_simpleName, "Connection Count"], limit=1000)	`Table`
IP Address Details	Displays a table of IP addresses and additional data (city, state, country, latitude/longitude, etc.) Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| asn:=asn(RemoteAddressIP4) \| rdns:=rdns(RemoteAddressIP4) \| default(value="-", field=[asn.org, asn.asn, rdns]) \| groupBy([RemoteAddressIP4, asn.org, asn.asn, rdns], limit=max) \| ipLocation(RemoteAddressIP4) \| rename(field="RemoteAddressIP4", as="IP") \| rename(field="asn.org", as="IP ASN Org.") \| rename(field="asn.asn", as="IP ASN") \| rename(field="rdns", as="Reverse DNS") \| rename(field="RemoteAddressIP4.city", as="GeoIP City") \| rename(field="RemoteAddressIP4.state", as="GeoIP State") \| rename(field="RemoteAddressIP4.country", as="GeoIP Country") \| rename(field="RemoteAddressIP4.lat", as="GeoIP Latitude") \| rename(field="RemoteAddressIP4.lon", as="GeoIP Longitude") \| rename(field="RemoteAddressIP4.lat", as="Event Types") \| drop([_count]) \| select(["IP", "Reverse DNS", "IP ASN", "IP ASN Org.", "GeoIP Country", "GeoIP State", "GeoIP City", "GeoIP Latitude","GeoIP Longitude"])	`Table`
Top 10 Endpoints	Displays a table of the top 10 device endpoints. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| top(aid, limit=10) \| $"crowdstrike/fltr-core:zComputerName"() \| "Connection Count":=rename(field="_count")	`Table`
IP Connection History	Displays a list of a user's IP connection history over time. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| timeChart(RemoteAddressIP4, function=count(aid))	`Single Value`
Connection Count Over Time	Displays a chart of connection count over time based on IP address data. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| timeChart(#event_simpleName, function=count(aid))	`Time Chart`
Total Connections	Displays a list of total system connections. Hide Query Show Query logscale #event_simpleName=/^(DCSyncAttempted\|FirewallDeleteRuleIP4\|FirewallRuleIP4Matched\|FirewallSetRuleIP4\|HttpRequest\|NetworkCloseIP4\|NetworkConnectIP4\|NetworkConnectIP4Blocked\|NetworkConnectIP4DetectInfo\|NetworkListenIP4\|NetworkReceiveAcceptIP4\|ProcessExecOnRDPFile\|ProcessExecOnSMBFile\|PromiscuousBindIP4\|RawBindIP4\|RemediationActionKillIP4Connection\|RemoteBruteForceDetectInfo\|SmbServerShareOpenedEtw\|TlsClientHello\|UserLogoff\|UserLogon\|UserLogonFailed2\|WmiCreateProcess)$/ \| RemoteAddressIP4=?RemoteAddressIP4 \| count(aid, as="Total Connections")	`Single Value`

Search - By Process Context

Widget	Description	Type
Process - Network Events	Displays a table of network events TCP, ICMP, UDP, and IP data. Hide Query Show Query logscale `test(?ProcessId != "") \| (#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| case { Protocol=6 \| eval(aProtocol="TCP"); Protocol=1 \| eval(aProtocol="ICMP"); Protocol=17 \| eval(aProtocol="UDP"); Protocol=58 \| eval(aProtocol="IPv6-ICMP");} \| table([@timestamp, aid, aProtocol, LocalAddressIP4, LocalAddressIP6, LocalPort, RemoteAddressIP4, RemoteAddressIP6, RemotePort])`	`Table`
Context Events by Type	Displays a pie chart of context events by type. Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId \| groupBy([aid, #event_simpleName])`	`Pie Chart`
Files Written	Displays a list of files that have been written. Hide Query Show Query logscale `test(?ProcessId != "") \| #event_simpleName=Written ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Original Processes	Displays a record of an original process from the command line, with an accompanying file name. Hide Query Show Query logscale `test(?FileName != "") \| #event_simpleName=ProcessRollup2 aid=?aid TargetProcessId = ?ProcessId \| ImageFileName = /(\/\|\\)(?<FileName>\w\.?\w*)$/i \| FileName = ?FileName \| rename(field=ImageFileName, as=OriginalFileName) \| rename(field=CommandLine, as=OriginalCommandLine) \| groupBy([aid, TargetProcessId, OriginalFileName, OriginalCommandLine]) \| sort(_count, order=asc) \| rename(_count, as="#")`	`Table`
Files Deleted	Displays a list of files that have been deleted by process ID. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=FileDeleteInfo ContextProcessId = ?ProcessId aid = ?aid \| groupBy([#event_simpleName, TargetFileName]) \| rename(_count, as="#")`	`Table`
Destination IPs	Display a pie chart of destination IP addresses by type. Hide Query Show Query logscale `(#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6) ContextProcessId = ?ProcessId aid = ?aid \| test(?ProcessId != "*") \| groupBy([RemoteAddressIP4, RemoteAddressIP6])`	`Pie Chart`
DNS Requests	Displays a table of DNS requests by domain name. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=DnsRequest ContextProcessId = ?ProcessId aid = ?aid \| groupBy([DomainName]) \| rename(_count, as="#requests")`	`Table`
All Context Events	Displays a list of all context events by ID. Hide Query Show Query logscale `test(?ProcessId != "*") \| ContextProcessId = ?ProcessId aid = ?aid`	`Event List`
Image Hash Events	Displays a table of image hash events. Hide Query Show Query logscale `test(?ProcessId != "*") \| #event_simpleName=ImageHash ContextProcessId = ?ProcessId aid = ?aid \| groupBy([ImageFileName]) \| rename(_count, as="#events")`	`Table`
Workflow Note	# Workflow Start by entering a filename. The aid is optional, but will constrain (and speed up) the search if you have it. If you find an interesting process copy the ProcessId and paste it in the parameter above to show the context events below.	`Note`

Search - By UserName

Widget	Description	Type
Detection Events	Displays a table of detection events with agent ID, computer name, and additional data then limits results to the first 1000 entries. Hide Query Show Query logscale // Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Find detection events. \| #event_simpleName!=* OR #streamingApiEvent=Event_DetectionSummaryEvent \| EventType=Event_ExternalApiEvent ExternalApiType=Event_DetectionSummaryEvent Tactic!=/^custom/i // Add the ComputerName if it's missing. \| $"crowdstrike/fltr-core:zComputerName"() // Find the details. \| aid:=rename(AgentIdString) // These fields must exist. \| Tactic=* AND Technique=* \| table([aid, ComputerName, DetectName, Tactic, Technique, Objective, CommandLine], limit=1000)	`Table`
Failed Logon Events	Displays a table of failed logon events by username and computer name then limits results to the first 1000 entries. Hide Query Show Query logscale `// Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Find identity events. \| #event_simpleName=UserLogonFailed* // Convert the results to a readable format. \| $"crowdstrike/fltr-core:zLogonTypeName"() // Add the ComputerName. \| $"crowdstrike/fltr-core:zComputerName"() // Group the results. \| groupBy(aid, function=[collect([ComputerName, LogonTypeName], limit=1000), count(as="Total Events")], limit=max) \| sort("Total Events", limit=1000)`	`Table`
Top Events Over Time	Displays a chart of the top 10 events over time. Hide Query Show Query logscale `// Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Create a chart of the top 10 events over time. \| timeChart(#event_simpleName, limit=10)`	`Time Chart`
Scheduled Task Events	Displays a table of registered scheduled tasks. Hide Query Show Query logscale `// Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Find scheduled tasks being registered. \| #event_simpleName=ScheduledTask* // Add the ComputerName. \| $"crowdstrike/fltr-core:zComputerName"() // Grab the output. \| table([aid, ComputerName, @timestamp, #event_simpleName, TaskName, TaskExecCommand], limit=1000)`	`Table`
Distinct Event Types by Asset	Displays a table of distinct event types by asset then limits the results to the first 1000 entries. Hide Query Show Query logscale // Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // aid must exist. \| aid=* // Add the ComputerName. \| $"crowdstrike/fltr-core:zComputerName"() // Create a chart of the top associated hosts. \| groupBy(aid, function=[collect([ComputerName, #event_simpleName], limit=1000), count(as="Total Events")], limit=max) \| "Distinct Events":=rename(#event_simpleName) \| sort("Total Events", limit=1000) \| table([aid, ComputerName, "Distinct Events", "Total Events"], limit=1000)	`Table`
Successful Interactive Logon Events	Displays a table of successful interactive logon events and groups the results by computer name and logon type, then limits results to the first 1000 entries. Hide Query Show Query logscale // Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Find identity events. \| #event_simpleName=UserLogon OR #event_simpleName=UserIdentity // Only include interactive logon events. \| LogonType=/^(2\|7\|10)$/ // Convert the results to a readable format. \| $"crowdstrike/fltr-core:zLogonTypeName"() // Add the ComputerName. \| $"crowdstrike/fltr-core:zComputerName"() // Group the results. \| groupBy(aid, function=[collect([ComputerName, LogonTypeName], limit=1000), count(as="Total Events")], limit=max) \| sort("Total Events", limit=1000)	`Table`
File Write Events	Displays a table of file write events and limits results to the first 1000 entries. Hide Query Show Query logscale `// Do a case-insensitive comparison. \| wildcard(field=UserName, pattern=?UserName, ignoreCase=true) // Find events related to file writes. \| #event_simpleName=*FileWritten // Add the ComputerName. \| $"crowdstrike/fltr-core:zComputerName"() // Grab the relevant data. \| groupBy([aid, ComputerName, #event_simpleName, OriginalFilename], function=[collect(TargetFileName, limit=1000), count(as="Total Events")], limit=max) \| sort("Total Events", limit=1000)`	`Table`
Workflow	- Enter a value for the `UserName` input parameter. - The input is case-insensitive, e.g. USER will match both User and user in the results.	`Note`

Search - Threat Hunting

Widget	Description	Type
Top Country Destinations	Displays a table of top country destinations by IP address and country. Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| ipLocation(field=RemoteAddressIP4) \| top(RemoteAddressIP4.country, as="#")`	`Table`
Suspicious Leads	Displays a table of suspicious lead data. Hide Query Show Query logscale in(#event_simpleName, values=[ "DetectAnalysis", "FileDetectInfo", "HttpRequestDetect", "KillThreadStatus", "ModuleBlockedEventWithPatternId", "NetworkOutboundPortScanDetectInfo", "PackedExecutableWritten", "RansomwareCreateFile", "RansomwareFileAccessPattern", "RansomwareRenameFile", "RegGenericValueUpdate", "RegistryOperationBlocked", "RegistryOperationDetectInfo", "RemediationActionKillProcess", "RemediationActionQuarantineFile", "RemediationActionRegistryRemoval", "RemediationMonitorKillProcess", "RemediationMonitorQuarantineFile", "RemediationMonitorRegistryRemoval", "RemoteBruteForceDetectInfo", "ScriptControlBlocked", "ScriptControlDetectInfo", "SuspiciousCreateSymbolicLink", "SuspiciousPeFileWritten", "SuspiciousRegAsepUpdate", "SuspiciousRegAsepUpdateFromUnsignedModule", "SuspiciousRegAsepUpdateLacksContextSignature", "SuspiciousRegAsepUpdateLacksTargetSignature", "SuspiciousRegAsepUpdateToUnsignedTarget", "SuspiciousUserRemoteAPCAttempt", "TokenImpersonated", "ZerologonExploitAttempt", "CriticalFileModified" ]) \| groupBy(#event_simpleName, limit=max) \| "#" := rename(_count)	`Table`
High Entropy Domains	Displays a list of high entropy domains using Akamai and limits the results to the first 20 entries. Hide Query Show Query logscale `#event_simpleName="DnsRequest" \| entropy:=shannonEntropy(DomainName) \| not akamaihd \| GroupBy([DomainName, entropy], limit=max) \| "#" := rename(_count) \| sort(entropy, limit=20)`	`Table`
Top IP Destinations	Displays a table of top IP destinations. Hide Query Show Query logscale `#event_simpleName="NetworkConnectIP4" \| top(RemoteAddressIP4, as="#")`	`Table`
Potential Script Obfuscation	Script content rated by Shanon entropy to look for randomness as a proxy for obfuscation attempts. Hide Query Show Query logscale `#event_simpleName="ScriptControl" \| ScriptEntropy:=shannonEntropy(ScriptContent) \| GroupBy([ScriptEntropy, ScriptContent], limit=max) \| "#" := rename(_count) \| sort(ScriptEntropy, limit=20)`	`Table`

zBeta - Identify Statistical Anomalies

Widget Description Type

Widget	Description	Type
Calculate Statistical Deviations	Displays a list of statistical deviation events and by how much, then limits results to the first 500 entries. Hide Query Show Query logscale wildcard(field=#event_simpleName, pattern=?event_simpleName, ignoreCase=true) // Create buckets to get the count, then rename a field so we recognize @timestamp again. \| bucket(field=?GroupByValue, span=1d, limit=500) \| @timestamp:=_bucket // Find the average number and calculate the standard deviation. \| bucket(field=?GroupByValue, span=1d, function=[sum(_count, as=observedRequests), window([stdDev(_count), avg(_count)], span=?RollingAverageDays)], limit=500) // Remove irrelevant results. \| _stddev > 0 \| _avg > 0 \| regex(".+", field=?GroupByValue) // Calculate the upper and lower limits. \| ulimit := _avg + (?AnomalyFactor * _stddev) // Flag hosts that exceed the standard deviation by X. \| case { test(observedRequests > ulimit) \| violation := 1; * \| violation := 0; } // Round the numbers for formatting. \| round(_avg) \| round(ulimit) // Ignore anything that's noise. \| violation > 0 \| _stddev > 1 \| _avg > 1 \| test(observedRequests > ulimit) // Add the date the spike occurred. \| Time := formatTime("%Y-%m-%d", field=_bucket, locale=en_US, timezone=Z) \| groupBy(?GroupByValue, function=[collect([Time, observedRequests, ulimit], limit=1000)], limit=max) \| Observed:=rename(observedRequests) \| UpperLimit:=rename(ulimit)	`Table`
Details	This dashboard is designed to calculate statistical anomalies based on standard deviations. The default window is 30 days with a 7-day rolling average. Default values are provided for the parameter inputs. You can change these as needed. The `Event Name` and `Group By` drop-down values are displayed based on frequency. It is recommended that you input your own values for the specific use case, e.g. `UserLogonFailed2` for the Event Name and `UserName` for the Group By.	`Note`
Instructions	These are the input values that can be modified: - `AnomalyFactor`: the number of standard deviations from the mean, e.g. `3`. - `EventSimpleName`: the `#event_simpleName` value that the query should be applied to, e.g. `UserLogonFailed2`. - `GroupByValue`: the value the results should be grouped by, e.g. `UserName`. - `RollingAverageDays`: the number of days that should be used to calculate a rolling average window, e.g. `7d` to compare each day to a 7-day rolling average.	`Note`

Displays a list of statistical deviation events and by how much, then limits results to the first 500 entries.

Show Query

Table

Details This dashboard is designed to calculate statistical anomalies based on standard deviations. The default window is 30 days with a 7-day rolling average. Default values are provided for the parameter inputs. You can change these as needed. The Event Name and Group By drop-down values are displayed based on frequency. It is recommended that you input your own values for the specific use case, e.g. UserLogonFailed2 for the Event Name and UserName for the Group By. Note

Instructions These are the input values that can be modified: - AnomalyFactor: the number of standard deviations from the mean, e.g. 3. - EventSimpleName: the #event_simpleName value that the query should be applied to, e.g. UserLogonFailed2. - GroupByValue: the value the results should be grouped by, e.g. UserName. - RollingAverageDays: the number of days that should be used to calculate a rolling average window, e.g. 7d to compare each day to a 7-day rolling average. Note

Integrations

Packages

Other Integrations

Log Formats