crowdstrike/fltr-identityprotection Dashboards

Detections Dashboard

Widget	Description	Type
Most recent detections	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low" ; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High" ; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical" ; * } \| Severity != Info // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| Source:=rename(SourceEndpointHostName) // Display columns with all defined formatting \| table([Severity, DetectName, @timestamp, "Account Name", Source, "Link"], limit=1000)	`Table`
Source users most involved in detections	Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| top(SourceAccountName) // Rename variables for display purposes \| "Account Name" := rename(SourceAccountName) \| Detections:=rename(_count)`	`Table`
Low	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "20" and Severity <= "39" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Critical	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "80" and Severity <= "100" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Medium	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "40" and Severity <= "59" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Detections by severity	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" // Severity mapping - numeric to label (from Event Data Dictionary) \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "Low" ; Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "High" ; Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; * } \| Severity != Info \| timeChart(Severity)	`Time Chart`
MITRE Tactics and Techniques Details	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Tactic=* \| case { Severity >= "0" and Severity <= "19" \| Severity := "Info" ; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low" ; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium" ; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High" ; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical" ; * } \| Severity != Info // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") // \| "Account Name":=rename(SourceAccountName) // \| Source:=rename(SourceEndpointHostName) // Display columns with all defined formatting \| table([Severity, Tactic, Technique, "Link"], limit=1000)	`Table`
Detections by name	Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| top(DetectName) // Rename variables for display purposes \| "Detections by name" := rename(DetectName) \| Total:=rename(_count)`	`Table`
High	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Severity >= "60" and Severity <= "79" \| count(Severity) // Severity mapping - numeric to label (from Event Data Dictionary) // \| case { // Severity >= "0" and Severity <= "19" \| Severity := "Info" ; // Severity >= "20" and Severity <= "39" \| Severity := "Low" ; // Severity >= "40" and Severity <= "59" \| Severity := "Medium" ; // Severity >= "60" and Severity <= "79" \| Severity := "High" ; // Severity >= "80" and Severity <= "100" \| Severity := "Critical" ; // * } // \| Severity != Info	`Single Value`
Source endpoints most involved in detections	Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| Endpoints:= rename(SourceEndpointHostName) \| top(Endpoints) // Rename variables for display purposes \| Detections:=rename(_count)`	`Table`
MITRE Tactics and Techniques Overview	Hide Query Show Query logscale `#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" //\| \| groupBy([Tactic, Technique], function=stats([count(AgentIdString, as="detectCount")])) \| rename("detectCount", as="Detection Count")`	`Heat Map`

Event Analysis Dashboard

Widget	Description	Type
Time Chart of Total AD Password Changes	Hide Query Show Query logscale `// Time Chart of Total AD Password Changes // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountPasswordUpdate // Filter based on domain name \| AccountDomain = ?AccountDomain // Create a timechart of the events based on count. \| timechart()`	`Time Chart`
Top AD Account Lockouts by Username	Hide Query Show Query logscale `// Top AD Account Lockouts by Username // Search for the specific event type #event_simpleName=ActiveDirectoryAccountLocked // Exclude anything that's a machine name \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most lockout events \| top(SamAccountName) // Set the usernames to all lower case \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)`	`Bar Chart`
Top AD User Names with the Most Change Events	Displays a list of top usernames with the most Active Directory (AD) change events based on domain. Hide Query Show Query logscale // Top AD User Names with the Most Change Events // Search for the specific event type #event_simpleName=ActiveDirectoryAccount* // Exclude anything that's a machine name \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most password changes \| top(SamAccountName) // Set the usernames to all lower case for consistency \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)	`Bar Chart`
Time Chart of Active Directory Account Changes	Plots the changes to the account within Active Directory Hide Query Show Query logscale `// Time Chart of Active Directory Account Changes // Search for the specific event type. #event_simpleName=ActiveDirectoryAccount* // Filter based on domain name \| AccountDomain = ?AccountDomain // Create a timechart of the events based on count. \| timechart()`	`Time Chart`
Top AD Password Changes by Username	Hide Query Show Query logscale `// Top AD Password Changes by Username // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountPasswordUpdate // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Use top to find the accounts with the most password changes. \| top(SamAccountName) // Set the usernames to all lower case. \| SamAccountName:=lower(SamAccountName) // Rename variables for display purposes \| Total:=rename(_count)`	`Bar Chart`
AD Account Creations by Username	Hide Query Show Query logscale `// List of AD Account Creations by Username // List of new Active Directory accounts that have been created. // Search for the specific event type. #event_simpleName=ActiveDirectoryAccountCreated // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| AccountDomain = ?AccountDomain // Display the list of account names and their domain. \| groupBy(SamAccountName, function=collect([@timestamp, AccountDomain]))`	`Table`
Top SSO Authentication Failures by Username	Hide Query Show Query logscale `// Top SSO Authentication Failures by Username // Search for either event. #event_simpleName=/(SsoApplicationAccessFailure\|SsoUserLogonFailure)/ // Exclude anything that's a machine name. \| SamAccountName!="*$" // List the top failures by username. \| top(SourceAccountUserName) // Rename variables for display purposes \| Total:=rename(_count)`	`Table`
Top AD Authentication Failures by Username	Hide Query Show Query logscale // Top AD Authentication Failures by Username // Search for the specific event type. #event_simpleName=ActiveDirectoryAuthenticationFailure // Exclude anything that's a machine name. \| SamAccountName!="*$" // Filter based on domain name \| SourceAccountDomain = ?AccountDomain // Use top to find the accounts with the most failures. \| top(SourceAccountSamAccountName) // Set the usernames to all lower case. \| SourceAccountSamAccountName:=lower(SourceAccountSamAccountName) // Rename variables for display purposes \| Total:=rename(_count)	`Table`

Identity-based Detections

Widget Description Type

Identity-based Detections

Widget	Description	Type
Identity-based Detections	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| case { Severity >= "0" and Severity <= "19" \| Severity := "🔵 Info"; Severity >= "20" and Severity <= "39" \| Severity := "🟢 Low"; Severity >= "40" and Severity <= "59" \| Severity := "🟡 Medium"; Severity >= "60" and Severity <= "79" \| Severity := "🟠 High"; Severity >= "80" and Severity <= "100" \| Severity := "🔴 Critical"; * } // Add parameters for filtering \| Severity=?Severity \| DetectName=?DetectName \| SourceAccountName=?SourceAccountName // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| "Account Domain":=rename(SourceAccountDomain) \| "Policy Rule Name":=rename(IdpPolicyRuleName) \| "Source endpoint name":=rename(SourceEndpointHostName) // \| case { // Tactic !=* \| Tactic := "-"; // Technique !=* \| Technique := "-"; // Objective !=* \| Objective := "-"; // "Policy rule name" !=* \| "Policy rule name" := "-"; // * } // Format extra context without adding multiple separate fields \| format(format="Policy Rule Name: %s %nTactic: %s %nTechnique: %s %nObjective: %s %n", field=["Policy Rule Name", Tactic, Techinque, Objective], as="Extra Context") // Display columns with all formatting included \| table([Severity, @timestamp, DetectName, "Account Name", "Account Domain", "Source endpoint name", "Link", "Extra Context"], limit=1000)	`Table`

Hide Query

Show Query

logscale

#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent
| ExternalApiType="Event_IdpDetectionSummaryEvent"

| case {
        Severity >= "0" and Severity <= "19"  | Severity := "🔵 Info";
        Severity >= "20" and Severity <= "39"  | Severity := "🟢 Low";
        Severity >= "40" and Severity <= "59"  | Severity := "🟡 Medium";
        Severity >= "60" and Severity <= "79"  | Severity := "🟠 High";
        Severity >= "80" and Severity <= "100"  | Severity := "🔴 Critical";
        * }

// Add parameters for filtering
| Severity=?Severity
| DetectName=?DetectName
| SourceAccountName=?SourceAccountName

// Set formatting for display
| format("[View detection](%s)", field=[FalconHostLink], as="Link")
| "Account Name":=rename(SourceAccountName)
| "Account Domain":=rename(SourceAccountDomain)
| "Policy Rule Name":=rename(IdpPolicyRuleName)
| "Source endpoint name":=rename(SourceEndpointHostName)

// | case {
        // Tactic !=* | Tactic := "-";
        // Technique !=* | Technique := "-";
        // Objective !=* | Objective := "-";
        // "Policy rule name" !=* | "Policy rule name" := "-";
        // * }


// Format extra context without adding multiple separate fields
| format(format="Policy Rule Name: %s %nTactic: %s %nTechnique: %s %nObjective: %s %n", field=["Policy Rule Name", Tactic, Techinque, Objective], as="Extra Context")

// Display columns with all formatting included
| table([Severity, @timestamp, DetectName, "Account Name", "Account Domain", "Source endpoint name", "Link", "Extra Context"], limit=1000)

Table

Threat Hunter

Widget Description Type

Privilege Escalation Detections

Widget	Description	Type
Privilege Escalation Detections	Hide Query Show Query logscale #event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent \| ExternalApiType="Event_IdpDetectionSummaryEvent" \| DetectName = "Privilege escalation (user)" or "Privilege escalation (endpoint)" // Add parameters for selection \| SourceAccountName = ?SourceAccountName // Set formatting for display \| format("[View detection](%s)", field=[FalconHostLink], as="Link") \| "Account Name":=rename(SourceAccountName) \| "Account Domain":=rename(SourceAccountDomain) \| "Policy Rule Name":=rename(IdpPolicyRuleName) \| "Source endpoint name":=rename(SourceEndpointHostName) \| "Added Privileges":=rename(AddedPrivileges) // Display subset of fields \| table([@timestamp, "Account Name", "Account Domain", DetectName, "Added Privileges", "Source endpoint name", "Link"], limit=1000)	`Table`

Hide Query

Show Query

logscale

#event_simpleName!=* OR #streamingApiEvent=Event_IdpDetectionSummaryEvent OR #event_simpleName=Event_IdpDetectionSummaryEvent
| ExternalApiType="Event_IdpDetectionSummaryEvent"
| DetectName = "Privilege escalation (user)" or "Privilege escalation (endpoint)"

// Add parameters for selection
| SourceAccountName = ?SourceAccountName

// Set formatting for display
| format("[View detection](%s)", field=[FalconHostLink], as="Link")
| "Account Name":=rename(SourceAccountName)
| "Account Domain":=rename(SourceAccountDomain)
| "Policy Rule Name":=rename(IdpPolicyRuleName)
| "Source endpoint name":=rename(SourceEndpointHostName)
| "Added Privileges":=rename(AddedPrivileges)

// Display subset of fields
| table([@timestamp, "Account Name", "Account Domain", DetectName, "Added Privileges", "Source endpoint name", "Link"], limit=1000)

Table

Integrations

Packages

Other Integrations

Log Formats

crowdstrike/fltr-identityprotection Dashboards

Detections Dashboard

Event Analysis Dashboard

Identity-based Detections

Threat Hunter

Enter search term