crowdstrike/siem-connector Dashboards | Integrations | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

crowdstrike/siem-connector Dashboards

Detections

Widget	Description	Type
Detection Types	Hide Query Show Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.DetectName)`	`Pie Chart`
Detections	Hide Query Show Query logscale metadata.eventType=DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid \|SensorId := event.SensorId\| ComputerName:=event.ComputerName\|User:=event.UserName\|DetectName:=event.DetectName\|Severity:=event.SeverityName\|LocalIP:=event.LocalIP\|Tactic:=event.Tactic\|Technique:= event.Technique\| Description:= event.DetectDescription\|Objective:=event.Objective \|table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])	`Table`
Techniques over Time	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Technique)`	`Time Chart`
Detection Events	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent\|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|count("metadata.eventType")`	`Gauge`
Detections by Technique	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Technique)`	`Bar Chart`
Detection by Tactic	Hide Query Show Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.Tactic)`	`Bar Chart`
Tactic over Time	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Tactic)`	`Time Chart`
Tactics	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Tactic)`	`Pie Chart`
Events by eventtype	Hide Query Show Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Events over time	Hide Query Show Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`

Firewall Activity

Widget	Description	Type
Firewall Events	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \|select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])`	`Table`
Outbound Blocked Requests	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 1\|sankey(source="event.LocalAddress",target="event.RemoteAddress")`	`Sankey`
Blocked Requests - Outbound	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=1\|count()`	`Gauge`
Events by eventtype	Hide Query Show Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Blocked Requests - Inbound	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=3\|count()`	`Gauge`
FIrewall Activity - Total events	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \|count()`	`Gauge`
Events over time	Hide Query Show Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`
Inbound Blocked Requests	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 3\|sankey(source=event.RemoteAddress, target=event.LocalAddress)`	`Sankey`

Summary Dashboard

Widget	Description	Type
Policy events	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| e metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| count()`	`Gauge`
Detections	Hide Query Show Query logscale metadata.eventType=DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid \|SensorId := event.SensorId\| ComputerName:=event.ComputerName\|User:=event.UserName\|DetectName:=event.DetectName\|Severity:=event.SeverityName\|LocalIP:=event.LocalIP\|Tactic:=event.Tactic\|Technique:= event.Technique\| Description:= event.DetectDescription\|Objective:=event.Objective \|table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])	`Table`
Policty events by Users	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \|User:=event.UserId\|groupby(User)\|events:=rename(_count)`	`Pie Chart`
Techniques over Time	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Technique)`	`Time Chart`
Detection Events	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent\|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|count("metadata.eventType")`	`Gauge`
Firewall Events	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \|select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])`	`Table`
Outbound Blocked Requests	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 1\|sankey(source="event.LocalAddress",target="event.RemoteAddress")`	`Sankey`
Blocked Requests - Outbound	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=1\|count()`	`Gauge`
Detections by Technique	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Technique)`	`Bar Chart`
Detection by Tactic	Hide Query Show Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.Tactic)`	`Bar Chart`
Tactic over Time	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Tactic)`	`Time Chart`
User Activity by ServiceName	Hide Query Show Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|metadata.customerIDString = ?cid\|groupby(event.ServiceName)`	`Bar Chart`
Policy events types	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| groupby(event.OperationName)`	`Pie Chart`
Tactics	Hide Query Show Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Tactic)`	`Pie Chart`
Events by eventtype	Hide Query Show Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
User Activity Events	Hide Query Show Query logscale `* \| metadata.eventType=UserActivityAuditEvent\| metadata.customerIDString = ?cid\|count()`	`Gauge`
User Activity Events	Hide Query Show Query logscale metadata.eventType = UserActivityAuditEvent \| event.OperationName = *\| metadata.customerIDString = ?cid\|akey0:=event.AuditKeyValues[0].Key \|aval0:=event.AuditKeyValues[0].ValueString \|akey1:=event.AuditKeyValues[1].Key \|aval1:=event.AuditKeyValues[1].ValueString \|akey2:=event.AuditKeyValues[2].Key \|aval2:=event.AuditKeyValues[2].ValueString \|akey3:=event.AuditKeyValues[3].Key \|aval3:=event.AuditKeyValues[3].ValueString \|akey4:=event.AuditKeyValues[4].Key \|aval4:=event.AuditKeyValues[4].ValueString \|akey5:=event.AuditKeyValues[5].Key \|aval5:=event.AuditKeyValues[5].ValueString \|akey6:=event.AuditKeyValues[6].Key \|aval6:=event.AuditKeyValues[6].ValueString \|akey7:=event.AuditKeyValues[7].Key \|aval7:=event.AuditKeyValues[7].ValueString \|akey8:=event.AuditKeyValues[8].Key \|aval8:=event.AuditKeyValues[8].ValueString \|akey9:=event.AuditKeyValues[9].Key \|aval9:=event.AuditKeyValues[9].ValueString \|akey10:=event.AuditKeyValues[10].Key \|aval10:=event.AuditKeyValues[10].ValueString \|akey11:=event.AuditKeyValues[11].Key \|aval11:=event.AuditKeyValues[11].ValueString \|akey12:=event.AuditKeyValues[12].Key \|aval12:=event.AuditKeyValues[12].ValueString \|akey13:=event.AuditKeyValues[13].Key \|aval13:=event.AuditKeyValues[13].ValueString \|akey14:=event.AuditKeyValues[14].Key \|aval14:=event.AuditKeyValues[14].ValueString \|akey15:=event.AuditKeyValues[15].Key \|aval15:=event.AuditKeyValues[15].ValueString \|akey16:=event.AuditKeyValues[16].Key \|aval16:=event.AuditKeyValues[16].ValueString \|akey17:=event.AuditKeyValues[17].Key \|aval17:=event.AuditKeyValues[17].ValueString \|akey18:=event.AuditKeyValues[18].Key \|aval18:=event.AuditKeyValues[18].ValueString \|akey19:=event.AuditKeyValues[19].Key \|aval19:=event.AuditKeyValues[19].ValueString \|akey20:=event.AuditKeyValues[20].Key \|aval20:=event.AuditKeyValues[20].ValueString \|rename(metadata.customerIDString, as="Customer ID")\|User := rename(event.UserId)\|UserIP := rename(event.UserIp) \|Service:=event.ServiceName \|Operation:=event.OperationName\|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])	`Table`
Blocked Requests - Inbound	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=3\|count()`	`Gauge`
Identity Protection Events	Hide Query Show Query logscale `* \| metadata.eventType=IdentityProtectionEvent\|count()`	`Gauge`
Events over time	Hide Query Show Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`
Inbound Blocked Requests	Hide Query Show Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 3\|sankey(source=event.RemoteAddress, target=event.LocalAddress)`	`Sankey`

User Activity

Widget	Description	Type
Policy events	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| e metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| count()`	`Gauge`
Policty events by Users	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \|User:=event.UserId\|groupby(User)\|events:=rename(_count)`	`Pie Chart`
User Activity by ServiceName	Hide Query Show Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|metadata.customerIDString = ?cid\|groupby(event.ServiceName)`	`Bar Chart`
Policy events types	Hide Query Show Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| groupby(event.OperationName)`	`Pie Chart`
Events by eventtype	Hide Query Show Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Activity by Operations	Hide Query Show Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|groupBy("event.OperationName")`	`Pie Chart`
User Activity Events	Hide Query Show Query logscale `* \| metadata.eventType=UserActivityAuditEvent\| metadata.customerIDString = ?cid\|count()`	`Gauge`
User Activity Events	Hide Query Show Query logscale metadata.eventType = UserActivityAuditEvent \| event.OperationName = *\| metadata.customerIDString = ?cid\|akey0:=event.AuditKeyValues[0].Key \|aval0:=event.AuditKeyValues[0].ValueString \|akey1:=event.AuditKeyValues[1].Key \|aval1:=event.AuditKeyValues[1].ValueString \|akey2:=event.AuditKeyValues[2].Key \|aval2:=event.AuditKeyValues[2].ValueString \|akey3:=event.AuditKeyValues[3].Key \|aval3:=event.AuditKeyValues[3].ValueString \|akey4:=event.AuditKeyValues[4].Key \|aval4:=event.AuditKeyValues[4].ValueString \|akey5:=event.AuditKeyValues[5].Key \|aval5:=event.AuditKeyValues[5].ValueString \|akey6:=event.AuditKeyValues[6].Key \|aval6:=event.AuditKeyValues[6].ValueString \|akey7:=event.AuditKeyValues[7].Key \|aval7:=event.AuditKeyValues[7].ValueString \|akey8:=event.AuditKeyValues[8].Key \|aval8:=event.AuditKeyValues[8].ValueString \|akey9:=event.AuditKeyValues[9].Key \|aval9:=event.AuditKeyValues[9].ValueString \|akey10:=event.AuditKeyValues[10].Key \|aval10:=event.AuditKeyValues[10].ValueString \|akey11:=event.AuditKeyValues[11].Key \|aval11:=event.AuditKeyValues[11].ValueString \|akey12:=event.AuditKeyValues[12].Key \|aval12:=event.AuditKeyValues[12].ValueString \|akey13:=event.AuditKeyValues[13].Key \|aval13:=event.AuditKeyValues[13].ValueString \|akey14:=event.AuditKeyValues[14].Key \|aval14:=event.AuditKeyValues[14].ValueString \|akey15:=event.AuditKeyValues[15].Key \|aval15:=event.AuditKeyValues[15].ValueString \|akey16:=event.AuditKeyValues[16].Key \|aval16:=event.AuditKeyValues[16].ValueString \|akey17:=event.AuditKeyValues[17].Key \|aval17:=event.AuditKeyValues[17].ValueString \|akey18:=event.AuditKeyValues[18].Key \|aval18:=event.AuditKeyValues[18].ValueString \|akey19:=event.AuditKeyValues[19].Key \|aval19:=event.AuditKeyValues[19].ValueString \|akey20:=event.AuditKeyValues[20].Key \|aval20:=event.AuditKeyValues[20].ValueString \|rename(metadata.customerIDString, as="Customer ID")\|User := rename(event.UserId)\|UserIP := rename(event.UserIp) \|Service:=event.ServiceName \|Operation:=event.OperationName\|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])	`Table`
Events over time	Hide Query Show Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`

Enter search term