crowdstrike/fltr-firewall-adversaries Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

crowdstrike/fltr-firewall-adversaries Dashboards

Network Connections (IP) - IOC / Threat Actors

Network Connections (IP) - IOC / Threat Actors

Widget	Description	Type
IOC Actor Details	Hide Query Show Query logscale // Network Connections (IP) - IOC / Threat Actor / GeoIP with flag // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split("ioc") // Parameter selection \| ioc.malicious_confidence = ?Malicious_Confidence // Parse out threat actor information. Default to "None Listed" if no Actor information is available. \| case { ioc.labels = "Actor" \| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/; \| iocActor := "None Listed" } // Parameter selection \| iocActor = ?IOC_Actor // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country \| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country", "Continent", "Flag"], ignoreCase=true, strict=false) // Formatting of fields for ease of use. \| replace(",", with="\n", field=ioc.labels, as="IOC Details") /* Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information. To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value. To access the IOC Actor Intel link, user must first be logged in to Falcon UI. */ \| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()	`Event List`
Threat Actors	A pie chart of detected IOCs by associated Threat Actor groups Hide Query Show Query logscale // Network Connections (IP) - IOC / Threat Actor // a pie chart of detected IOCs by associated Threat Actor groups // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split("ioc") // Parameter selections \| ioc.malicious_confidence = ?Malicious_Confidence // Parse out and show only results with threat actor information. \| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/ // Parameter selections \| iocActor = ?IOC_Actor // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country // Display the results \| top(iocActor) /* Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information. To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value. To access the IOC Actor Intel link, user must first be logged in to Falcon UI. */ \| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()	`Pie Chart`
IOCs without Threat Actors - Associated Locations	Hide Query Show Query logscale `// a world map of detected IOC threat locations // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split(ioc) // Parameter selections \| ioc.malicious_confidence = ?Malicious_Confidence \| ioc.labels != "Actor*" // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country // Display the results \| worldMap(ip=ioc.indicator)`	`World Map`
Threat Actors - Associated Locations	A world map of detected IOC threat Actor Locations Hide Query Show Query logscale // Network Connections (IP) - IOC / Threat Actor / World Map // a world map of detected IOC threat Actor Locations // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split("ioc") // Parameter selections \| ioc.malicious_confidence = ?Malicious_Confidence // Filter out any IOCs not associated with Threat Actors \| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/ // Parameter selections \| iocActor = ?IOC_Actor // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country // Display the results \| worldMap(ip=ioc.indicator)	`World Map`
IOCs without Attribution	Hide Query Show Query logscale // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split(ioc) // Parameter selections \| ioc.malicious_confidence = ?Malicious_Confidence // Remove any IOCs attributed to threat actors \| ioc.labels != "Actor*" // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country \| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country", "Flag"], ignoreCase=true, strict=false) // Formatting of fields for ease of use. \| replace(",", with="\n", field=ioc.labels, as="IOC Details")	`Event List`
Threat Actors - Hits by Country	A time series chart indicating IOC associated country Hide Query Show Query logscale // Network Connections (IP) - IOC / Threat Actor / Times Series by Country // a time series chart indicating IOC associated country // IOC lookup on IP Addresses \| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true) \| split("ioc") // Filter only IOCs associated with Threat Actors \| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/ // Parameter selections \| ioc.malicious_confidence = ?Malicious_Confidence \| iocActor = ?IOC_Actor // IOC Geo lookups \| ipLocation(ioc.indicator) \| ioc.indicator.country = ?IOC_Country \| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country"], ignoreCase=true, strict=false) // Display the results \| timeChart(span=1d, function=count(), series=Country) /* Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information. To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value. To access the IOC Actor Intel link, user must first be logged in to Falcon UI. */ \| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()	`Time Chart`
CrowdStrike Adversary Tracking - Firewall IOCs	Apply Falcon threat intelligence to your firewall data to see which adversaries are targeting your network. CrowdStrike currently tracks and profiles hundreds of adversaries, and indicator of compromise (IOC) details are streaming into Falcon Long Term Repository and updated hourly. Every adversary is motivated by a specific objective whether it is financial, espionage or political gain. CrowdStrike uses a two-part cryptonym so adversaries can be easily identified based on these three critical motivating factors: * Nation-states perform espionage and are identified by their country of origin's national animal such as BEAR (Russia), PANDA (China), KITTEN (Iran), CHOLLIMA (North Korea), etc. * SPIDERs are cybercriminals motivated by monetary gain * Hacktivists, looking to create political disruption, are JACKALS For more information about adversary naming, additional details available here: CrowdStrike Adversary Overview. This dashboard requires Falcon Long Term repository license. Your firewall data needs to be normalized to the OpenTelemetry standard. Add firewall parsers from LogScale marketplace to your ingest feeds to get started.	`Note`

Enter search term