crowdstrike/fltr-identityprotection Dashboards

Detections Dashboard

The Detections Dashboard provides comprehensive identity-based security monitoring through integrated detection visualizations. This dashboard enables tracking of identity-related threats, analysis of authentication incidents, and monitoring of access-based security events across the environment.
Event Analysis Dashboard

The Event Analysis Dashboard presents detailed identity event analysis through comprehensive event visualizations. This dashboard enables investigation of authentication patterns, monitoring of access behaviors, and tracking of identity-related activities across the security landscape.
Identity-based Detections

The Identity-based Detections dashboard provides focused identity threat detection through specialized security visualizations. This dashboard enables monitoring of identity-specific threats, analysis of credential misuse, and investigation of suspicious authentication activities across the infrastructure.
Threat Hunter

The Threat Hunter dashboard presents advanced identity threat hunting capabilities through specialized search visualizations. This dashboard enables proactive investigation of identity threats, analysis of suspicious authentication patterns, and detection of potential identity-based compromises across the environment.

Detections Dashboard

The Detections Dashboard provides comprehensive identity-based security monitoring through integrated detection visualizations. This dashboard enables tracking of identity-related threats, analysis of authentication incidents, and monitoring of access-based security events across the environment.

Widget	Description	Type
Most recent detections	Displays a list of recent external API events, arranges them in order of severity (low, medium, high, and critical), then limits results to the first 1000 entries. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low" ; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High" ; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical" ; * } \| Severity != Info // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| Source:=rename(SourceEndpointHostName) // Display columns with all defined formatting \| table([Severity, DetectName, @timestamp, "Account Name", Source, "Link"], limit=1000)	`Table`
Source users most involved in detections	Displays a table of source users most involved in detections. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| top(SourceAccountName) // Rename variables for display purposes \| "Account Name" := rename(SourceAccountName) \| Detections:=rename(_count)`	`Table`
Low	Displays the number of events with a low severity rating (greater than or equal to 20, or less than or equal to 39). Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "20" and Severity <= "39" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Critical	Displays events defined as Critical severity. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "80" and Severity <= "100" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Medium	Displays events considered medium severity, with a rating greater than 40 but less than 59. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "40" and Severity <= "59" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Detections by severity	Displays a chart of event detections by severity (information, low, medium, high, and critical). Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" // Severity mapping - numeric to label (from Event Data Dictionary) \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "Low" ; Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "High" ; Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; * } \| Severity != Info \| timeChart(Severity)	`Time Chart`
MITRE Tactics and Techniques Details	Displays a table of MITRE ATT@CK tactics and techniques, and their associated severity level (information, low, medium, high, and critical). Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Tactic=* \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low" ; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High" ; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical" ; * } \| Severity != Info // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") // \| "Account Name":=rename(SourceAccountName) // \| Source:=rename(SourceEndpointHostName) // Display columns with all defined formatting \| table([Severity, Tactic, Technique, "Link"], limit=1000)	`Table`
Detections by name	Displays a list of detections by name. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| top(DetectName) // Rename variables for display purposes \| "Detections by name" := rename(DetectName) \| Total:=rename(_count)`	`Table`
High	Displays the number of events given a 'high' severity rating (greater than or equal to 60, and less than or equal to 79). Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "60" and Severity <= "79" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Source endpoints most involved in detections	Displays a table of source endpoints most involved in system detections. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Endpoints:= rename(SourceEndpointHostName) \| top(Endpoints) // Rename variables for display purposes \| Detections:=rename(_count)`	`Table`
MITRE Tactics and Techniques Overview	Displays an overview list of MITRE tactics and techniques. Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" //\| \| groupBy([Tactic, Technique], function=stats([count(AgentIdString, as="detectCount")])) \| rename("detectCount", as="Detection Count")`	`Heat Map`

Event Analysis Dashboard

The Event Analysis Dashboard presents detailed identity event analysis through comprehensive event visualizations. This dashboard enables investigation of authentication patterns, monitoring of access behaviors, and tracking of identity-related activities across the security landscape.

Widget	Description	Type
Time Chart of Total AD Password Changes	Displays a chart of total Active Directory password changes by domain name. Hide Query Show Query logscale `// Time Chart of Total AD Password Changes // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountPasswordUpdate // Filter based on domain name \| AccountDomain = ?AccountDomain // Create a timechart of the events based on count. \| timechart()`	`Time Chart`
Top AD Account Lockouts by Username	Displays a chart of top Active Directory account lockouts by username. Hide Query Show Query logscale `// Top AD Account Lockouts by Username // Search for the specific event type #event_simpleName=ActiveDirectoryAccountLocked // Exclude anything that's a machine name \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most lockout events \| top(SamAccountName) // Set the usernames to all lower case \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)`	`Bar Chart`
Top AD User Names with the Most Change Events	Displays a list of top usernames with the most Active Directory (AD) change events based on domain. Hide Query Show Query logscale // Top AD User Names with the Most Change Events // Search for the specific event type #event_simpleName=ActiveDirectoryAccount* // Exclude anything that's a machine name \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most password changes \| top(SamAccountName) // Set the usernames to all lower case for consistency \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)	`Bar Chart`
Time Chart of Active Directory Account Changes	Plots the changes to the account within Active Directory Hide Query Show Query logscale `// Time Chart of Active Directory Account Changes // Search for the specific event type. #event_simpleName=ActiveDirectoryAccount* // Filter based on domain name \| AccountDomain = ?AccountDomain // Create a timechart of the events based on count. \| timechart()`	`Time Chart`
Top AD Password Changes by Username	Displays a chart of top Active Directory password changes by username. Hide Query Show Query logscale `// Top AD Password Changes by Username // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountPasswordUpdate // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most password changes. \| top(SamAccountName) // Set the usernames to all lower case. \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)`	`Bar Chart`
AD Account Creations by Username	Displays a table of Active Directory account creations by username and arranged by domain. Hide Query Show Query logscale `// List of AD Account Creations by Username // List of new Active Directory accounts that have been created. // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountCreated // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Display the list of account names and their domain. \| groupBy(SamAccountName, function=collect([@timestamp, AccountDomain]))`	`Table`
Top SSO Authentication Failures by Username	Displays a list of top SSO authentication failures by username. Hide Query Show Query logscale `// Top SSO Authentication Failures by Username // Search for either event. #event_simpleName=/(SsoApplicationAccessFailure\|SsoUserLogonFailure)/ // Exclude anything that's a machine name. \| SamAccountName!="*$" // List the top failures by username. \| top(SourceAccountUserName) // Rename variables for display purposes \| Total:=rename(_count)`	`Table`
Top AD Authentication Failures by Username	Displays a table of tp AD authentication failures by username. Hide Query Show Query logscale // Top AD Authentication Failures by Username // Search for the specific event type. #event_simpleName=ActiveDirectoryAuthenticationFailure // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| SourceAccountDomain = ?AccountDomain // Use top to find the accounts with the most failures. \| top(SourceAccountSamAccountName) // Set the usernames to all lower case. \| SourceAccountSamAccountName:=lower(SourceAccountSamAccountName) // Rename variables for display purposes \| Total:=rename(_count)	`Table`

Identity-based Detections

The Identity-based Detections dashboard provides focused identity threat detection through specialized security visualizations. This dashboard enables monitoring of identity-specific threats, analysis of credential misuse, and investigation of suspicious authentication activities across the infrastructure.

Widget Description Type

Widget	Description	Type
Identity-based Detections	Displays a table of identity-based detections, their associated details, and their associated severity rating, then limits results to the first 1000 entries. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| case { Severity >= "0" and Severity <= "19" \| Severity := "🔵 Info"; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low"; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium"; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High"; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical"; * } // Add parameters for filtering \| Severity=?Severity \| DetectName=?DetectName \| SourceAccountName=?SourceAccountName // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| "Account Domain":=rename(SourceAccountDomain) \| "Policy Rule Name":=rename(IdpPolicyRuleName) \| "Source endpoint name":=rename(SourceEndpointHostName) // \| case { // Tactic !=* \| Tactic := "-"; // Technique !=* \| Technique := "-"; // Objective !=* \| Objective := "-"; // "Policy rule name" !=* \| "Policy rule name" := "-"; // * } // Format extra context without adding multiple separate fields \| format(format="Policy Rule Name: %s %nTactic: %s %nTechnique: %s %nObjective: %s %n", field=["Policy Rule Name", Tactic, Techinque, Objective], as="Extra Context") // Display columns with all formatting included \| table([Severity, @timestamp, DetectName, "Account Name", "Account Domain", "Source endpoint name", "Link", "Extra Context"], limit=1000)	`Table`

Displays a table of identity-based detections, their associated details, and their associated severity rating, then limits results to the first 1000 entries.

Hide Query

Show Query

logscale

#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent
| ExternalApiType="Event_IdpDetectionSummaryEvent"

| case {
        Severity >= "0" and Severity <= "19"  | Severity := "🔵 Info";
        Severity >= "20" and Severity <= "39"  | Severity := "🟢 Low";
        Severity >= "40" and Severity <= "59"  | Severity := "🟡 Medium";
        Severity >= "60" and Severity <= "79"  | Severity := "🟠 High";
        Severity >= "80" and Severity <= "100"  | Severity := "🔴 Critical";
        * }

// Add parameters for filtering
| Severity=?Severity
| DetectName=?DetectName
| SourceAccountName=?SourceAccountName

// Set formatting for display
| format("[View detection](%s)", field=[FalconHostLink], as="Link")
| "Account Name":=rename(SourceAccountName)
| "Account Domain":=rename(SourceAccountDomain)
| "Policy Rule Name":=rename(IdpPolicyRuleName)
| "Source endpoint name":=rename(SourceEndpointHostName)

// | case {
        // Tactic !=* | Tactic := "-";
        // Technique !=* | Technique := "-";
        // Objective !=* | Objective := "-";
        // "Policy rule name" !=* | "Policy rule name" := "-";
        // * }


// Format extra context without adding multiple separate fields
| format(format="Policy Rule Name: %s %nTactic: %s %nTechnique: %s %nObjective: %s %n", field=["Policy Rule Name", Tactic, Techinque, Objective], as="Extra Context")

// Display columns with all formatting included
| table([Severity, @timestamp, DetectName, "Account Name", "Account Domain", "Source endpoint name", "Link", "Extra Context"], limit=1000)

Table

Threat Hunter

The Threat Hunter dashboard presents advanced identity threat hunting capabilities through specialized search visualizations. This dashboard enables proactive investigation of identity threats, analysis of suspicious authentication patterns, and detection of potential identity-based compromises across the environment.

Widget Description Type

Widget	Description	Type
Privilege Escalation Detections	Displays a table of IDP escalation detections and summarizes their details including account name, domain, policy rule name, source endpoint name, and added privileges. Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| DetectName = "Privilege escalation (user)" or "Privilege escalation (endpoint)" // Add parameters for selection \| SourceAccountName = ?SourceAccountName // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| "Account Domain":=rename(SourceAccountDomain) \| "Policy Rule Name":=rename(IdpPolicyRuleName) \| "Source endpoint name":=rename(SourceEndpointHostName) \| "Added Privileges":=rename(AddedPrivileges) // Display subset of fields \| table([@timestamp, "Account Name", "Account Domain", DetectName, "Added Privileges", "Source endpoint name", "Link"], limit=1000)	`Table`

Displays a table of IDP escalation detections and summarizes their details including account name, domain, policy rule name, source endpoint name, and added privileges.

Hide Query

Show Query

logscale

#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent
| ExternalApiType="Event_IdpDetectionSummaryEvent"
| DetectName = "Privilege escalation (user)" or "Privilege escalation (endpoint)"

// Add parameters for selection
| SourceAccountName = ?SourceAccountName

// Set formatting for display
| format("[View detection](%s)", field=[FalconHostLink], as="Link")
| "Account Name":=rename(SourceAccountName)
| "Account Domain":=rename(SourceAccountDomain)
| "Policy Rule Name":=rename(IdpPolicyRuleName)
| "Source endpoint name":=rename(SourceEndpointHostName)
| "Added Privileges":=rename(AddedPrivileges)

// Display subset of fields
| table([@timestamp, "Account Name", "Account Domain", DetectName, "Added Privileges", "Source endpoint name", "Link"], limit=1000)

Table

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

crowdstrike/fltr-identityprotection Dashboards

Detections Dashboard

Event Analysis Dashboard

Identity-based Detections

Threat Hunter

Enter search term