IOC Actor Details |
Displays a list of IOC actor details including source IP,
destination IP, etc.
Hide Query Show Query // Network Connections (IP) - IOC / Threat Actor / GeoIP with flag
// IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split("ioc")
// Parameter selection
| ioc.malicious_confidence = ?Malicious_Confidence
// Parse out threat actor information. Default to "None Listed" if no Actor information is available.
| case {
ioc.labels = "Actor*" | ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/;
* | iocActor := "None Listed"
}
// Parameter selection
| iocActor = ?IOC_Actor
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country", "Continent", "Flag"], ignoreCase=true, strict=false)
// Formatting of fields for ease of use.
| replace(",", with="\n", field=ioc.labels, as="IOC Details")
/*
Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information.
To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value.
To access the IOC Actor Intel link, user must first be logged in to Falcon UI.
*/
| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()
| Event List |
Threat Actors |
A pie chart of detected IOCs by associated Threat Actor groups
Hide Query Show Query // Network Connections (IP) - IOC / Threat Actor
// a pie chart of detected IOCs by associated Threat Actor groups
// IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split("ioc")
// Parameter selections
| ioc.malicious_confidence = ?Malicious_Confidence
// Parse out and show only results with threat actor information.
| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/
// Parameter selections
| iocActor = ?IOC_Actor
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
// Display the results
| top(iocActor)
/*
Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information.
To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value.
To access the IOC Actor Intel link, user must first be logged in to Falcon UI.
*/
| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()
| Pie Chart |
IOCs without Threat Actors - Associated Locations |
Displays a world map of detected IOC threat locations.
Hide Query Show Query // a world map of detected IOC threat locations
// IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split(ioc)
// Parameter selections
| ioc.malicious_confidence = ?Malicious_Confidence
| ioc.labels != "Actor*"
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
// Display the results
| worldMap(ip=ioc.indicator)
| World Map |
Threat Actors - Associated Locations |
A world map of detected IOC threat Actor Locations
Hide Query Show Query // Network Connections (IP) - IOC / Threat Actor / World Map
// a world map of detected IOC threat Actor Locations
// IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split("ioc")
// Parameter selections
| ioc.malicious_confidence = ?Malicious_Confidence
// Filter out any IOCs not associated with Threat Actors
| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/
// Parameter selections
| iocActor = ?IOC_Actor
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
// Display the results
| worldMap(ip=ioc.indicator)
| World Map |
IOCs without Attribution |
Displays a list of IOC lookups that are not attributed to threat
actors and organizes them geographically.
Hide Query Show Query // IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split(ioc)
// Parameter selections
| ioc.malicious_confidence = ?Malicious_Confidence
// Remove any IOCs attributed to threat actors
| ioc.labels != "Actor*"
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country", "Flag"], ignoreCase=true, strict=false)
// Formatting of fields for ease of use.
| replace(",", with="\n", field=ioc.labels, as="IOC Details")
| Event List |
Threat Actors - Hits by Country |
A time series chart indicating IOC associated country
Hide Query Show Query // Network Connections (IP) - IOC / Threat Actor / Times Series by Country
// a time series chart indicating IOC associated country
// IOC lookup on IP Addresses
| ioc:lookup([source.ip, destination.ip], type="ip_address", confidenceThreshold=?Confidence_Threshold, strict=true)
| split("ioc")
// Filter only IOCs associated with Threat Actors
| ioc.labels = /^Actor\/(?<iocActor>\w+)\W+/
// Parameter selections
| ioc.malicious_confidence = ?Malicious_Confidence
| iocActor = ?IOC_Actor
// IOC Geo lookups
| ipLocation(ioc.indicator)
| ioc.indicator.country = ?IOC_Country
| match(file="crowdstrike/fltr-firewall-adversaries/geo_mapping.csv", column=CountryCode, field=ioc.indicator.country, include=["Country"], ignoreCase=true, strict=false)
// Display the results
| timeChart(span=1d, function=count(), series=Country)
/*
Specify base Falcon URL to use for Falcon UI linkage for Threat Actor information.
To update, modify the search 'z_Root_URL_Definition()' buy uncommenting your respective URL value.
To access the IOC Actor Intel link, user must first be logged in to Falcon UI.
*/
| $"crowdstrike/fltr-firewall-adversaries:z_Falcon_URL_Definition"()
| Time Chart |
CrowdStrike Adversary Tracking - Firewall IOCs |
Apply Falcon threat intelligence to your firewall data to see
which adversaries are targeting your network. CrowdStrike
currently tracks and profiles hundreds of adversaries, and
indicator of compromise (IOC) details are streaming into Falcon
Long Term Repository and updated hourly. Every adversary is
motivated by a specific objective whether it is financial,
espionage or political gain. CrowdStrike uses a two-part cryptonym
so adversaries can be easily identified based on these three
critical motivating factors: * Nation-states perform espionage and
are identified by their country of origin's national animal such
as BEAR (Russia), PANDA (China), KITTEN (Iran), CHOLLIMA (North
Korea), etc. * SPIDERs are cybercriminals motivated by monetary
gain * Hacktivists, looking to create political disruption, are
JACKALS For more information about adversary naming, additional
details available here:
CrowdStrike
Adversary Overview. This dashboard requires Falcon Long
Term repository license. Your firewall data needs to be normalized
to the
OpenTelemetry
standard. Add firewall parsers from LogScale marketplace
to your ingest feeds to get started.
| Note |