crowdstrike/siem-connector Dashboards

Detections

The CrowdStrike SIEM Connector Detections dashboard provides comprehensive visibility into security detections and alerts from CrowdStrike Falcon through a series of interconnected visualizations. This dashboard enables monitoring, analysis, and response to potential threats in the environment.
Firewall Activity

The CrowdStrike SIEM Connector Firewall Activity dashboard provides real-time visibility into network traffic patterns, security policy enforcement, and potential threats detected at the firewall level. This dashboard facilitates monitoring and analysis of network traffic behavior and security events across the environment.
Summary Dashboard

The CrowdStrike SIEM Connector Summary dashboard serves as a high-level overview of security events, system health, and key metrics across the environment. This dashboard delivers a consolidated view of security posture and critical operational indicators.
User Activity

The CrowdStrike SIEM Connector User Activity dashboard provides comprehensive visibility into user behavior, authentication events, and account-related activities across the environment. This dashboard facilitates monitoring of user actions, detection of suspicious behavior patterns, and tracking of authentication anomalies.

Detections

The CrowdStrike SIEM Connector Detections dashboard provides comprehensive visibility into security detections and alerts from CrowdStrike Falcon through a series of interconnected visualizations. This dashboard enables monitoring, analysis, and response to potential threats in the environment.

Widget	Description	Type
Detection Types	Displays a pie chart of detection types. Hide Query Show Query Explain Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.DetectName)`	`Pie Chart`
Detections	Displays a table of event detections and associated data (timestamp, sensor ID, ComputerName, User,Severity, Local IP, etc.) Hide Query Show Query Explain Query logscale metadata.eventType=DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid \|SensorId := event.SensorId\| ComputerName:=event.ComputerName\|User:=event.UserName\|DetectName:=event.DetectName\|Severity:=event.SeverityName\|LocalIP:=event.LocalIP\|Tactic:=event.Tactic\|Technique:= event.Technique\| Description:= event.DetectDescription\|Objective:=event.Objective \|table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])	`Table`
Techniques over Time	Displays a chart of detected event techniques over a 1 hour timespan. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Technique)`	`Time Chart`
Detection Events	Displays a summary of detection events by computer name and customer IDS string. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent\|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|count("metadata.eventType")`	`Gauge`
Detections by Technique	Displays a chart of detections by technique. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Technique)`	`Bar Chart`
Detection by Tactic	Displays a chart of event detections by tactic. Hide Query Show Query Explain Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.Tactic)`	`Bar Chart`
Tactic over Time	Displays a chart of event tactics over a 1 hour timespan by computer name and customer IDS string. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Tactic)`	`Time Chart`
Tactics	Displays a pie chart of top event tactics. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Tactic)`	`Pie Chart`
Events by eventtype	Displays a chart of events by event type using metadata. Hide Query Show Query Explain Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Events over time	Displays a list of events over time Hide Query Show Query Explain Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`

Firewall Activity

The CrowdStrike SIEM Connector Firewall Activity dashboard provides real-time visibility into network traffic patterns, security policy enforcement, and potential threats detected at the firewall level. This dashboard facilitates monitoring and analysis of network traffic behavior and security events across the environment.

Widget	Description	Type
Firewall Events	Displays a table of firewall events and associated data (host name, device ID, event type, event policy name, etc.) Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \|select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])`	`Table`
Outbound Blocked Requests	Displays a flowchart of outbound blocked requests using firewall data from local address to remote address. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 1\|sankey(source="event.LocalAddress",target="event.RemoteAddress")`	`Sankey`
Blocked Requests - Outbound	Displays a list of outbound blocked requests. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=1\|count()`	`Gauge`
Events by eventtype	Displays a chart of events by event type using metadata. Hide Query Show Query Explain Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Blocked Requests - Inbound	Displays a list of blocked inbound access requests using metadata. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=3\|count()`	`Gauge`
FIrewall Activity - Total events	Displays a list of total firewall event activities. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \|count()`	`Gauge`
Events over time	Displays a list of events over time Hide Query Show Query Explain Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`
Inbound Blocked Requests	Displays a flowchart of inbound blocked requests from remote address to local address. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 3\|sankey(source=event.RemoteAddress, target=event.LocalAddress)`	`Sankey`

Summary Dashboard

The CrowdStrike SIEM Connector Summary dashboard serves as a high-level overview of security events, system health, and key metrics across the environment. This dashboard delivers a consolidated view of security posture and critical operational indicators.

Widget	Description	Type
Policy events	Displays a list policy events and associated data. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| e metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| count()`	`Gauge`
Detections	Displays a table of event detections and associated data (timestamp, sensor ID, ComputerName, User,Severity, Local IP, etc.) Hide Query Show Query Explain Query logscale metadata.eventType=DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid \|SensorId := event.SensorId\| ComputerName:=event.ComputerName\|User:=event.UserName\|DetectName:=event.DetectName\|Severity:=event.SeverityName\|LocalIP:=event.LocalIP\|Tactic:=event.Tactic\|Technique:= event.Technique\| Description:= event.DetectDescription\|Objective:=event.Objective \|table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])	`Table`
Policty events by Users	Displays aggregated, policy-related events by user using metadata. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \|User:=event.UserId\|groupby(User)\|events:=rename(_count)`	`Pie Chart`
Techniques over Time	Displays a chart of detected event techniques over a 1 hour timespan. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Technique)`	`Time Chart`
Detection Events	Displays a summary of detection events by computer name and customer IDS string. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent\|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|count("metadata.eventType")`	`Gauge`
Firewall Events	Displays a table of firewall events and associated data (host name, device ID, event type, event policy name, etc.) Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \|select([event.HostName,event.DeviceId,event.EventType,event.PolicyName,event.RuleName,event.HostName,event.CommandLine,event.ImageFileName,event.LocalAddress,event.RemoteAddress])`	`Table`
Outbound Blocked Requests	Displays a flowchart of outbound blocked requests using firewall data from local address to remote address. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 1\|sankey(source="event.LocalAddress",target="event.RemoteAddress")`	`Sankey`
Blocked Requests - Outbound	Displays a list of outbound blocked requests. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=1\|count()`	`Gauge`
Detections by Technique	Displays a chart of detections by technique. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Technique)`	`Bar Chart`
Detection by Tactic	Displays a chart of event detections by tactic. Hide Query Show Query Explain Query logscale `metadata.eventType=DetectionSummaryEvent \|groupby(event.Tactic)`	`Bar Chart`
Tactic over Time	Displays a chart of event tactics over a 1 hour timespan by computer name and customer IDS string. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|timechart(span=1h, event.Tactic)`	`Time Chart`
User Activity by ServiceName	Displays a chart of user activity by username. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|metadata.customerIDString = ?cid\|groupby(event.ServiceName)`	`Bar Chart`
Policy events types	Displays a pie chart of policy events by type using audit data. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| groupby(event.OperationName)`	`Pie Chart`
Tactics	Displays a pie chart of top event tactics. Hide Query Show Query Explain Query logscale `metadata.eventType = DetectionSummaryEvent \|event.ComputerName=?ComputerName AND metadata.customerIDString = ?cid\|top(event.Tactic)`	`Pie Chart`
Events by eventtype	Displays a chart of events by event type using metadata. Hide Query Show Query Explain Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
User Activity Events	Displays user activity events using customer IDS string. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=UserActivityAuditEvent\| metadata.customerIDString = ?cid\|count()`	`Gauge`
User Activity Events	Displays a table of user activity events and associated data (customer ID, user ID, service, operation). Hide Query Show Query Explain Query logscale metadata.eventType = UserActivityAuditEvent \| event.OperationName = *\| metadata.customerIDString = ?cid\|akey0:=event.AuditKeyValues[0].Key \|aval0:=event.AuditKeyValues[0].ValueString \|akey1:=event.AuditKeyValues[1].Key \|aval1:=event.AuditKeyValues[1].ValueString \|akey2:=event.AuditKeyValues[2].Key \|aval2:=event.AuditKeyValues[2].ValueString \|akey3:=event.AuditKeyValues[3].Key \|aval3:=event.AuditKeyValues[3].ValueString \|akey4:=event.AuditKeyValues[4].Key \|aval4:=event.AuditKeyValues[4].ValueString \|akey5:=event.AuditKeyValues[5].Key \|aval5:=event.AuditKeyValues[5].ValueString \|akey6:=event.AuditKeyValues[6].Key \|aval6:=event.AuditKeyValues[6].ValueString \|akey7:=event.AuditKeyValues[7].Key \|aval7:=event.AuditKeyValues[7].ValueString \|akey8:=event.AuditKeyValues[8].Key \|aval8:=event.AuditKeyValues[8].ValueString \|akey9:=event.AuditKeyValues[9].Key \|aval9:=event.AuditKeyValues[9].ValueString \|akey10:=event.AuditKeyValues[10].Key \|aval10:=event.AuditKeyValues[10].ValueString \|akey11:=event.AuditKeyValues[11].Key \|aval11:=event.AuditKeyValues[11].ValueString \|akey12:=event.AuditKeyValues[12].Key \|aval12:=event.AuditKeyValues[12].ValueString \|akey13:=event.AuditKeyValues[13].Key \|aval13:=event.AuditKeyValues[13].ValueString \|akey14:=event.AuditKeyValues[14].Key \|aval14:=event.AuditKeyValues[14].ValueString \|akey15:=event.AuditKeyValues[15].Key \|aval15:=event.AuditKeyValues[15].ValueString \|akey16:=event.AuditKeyValues[16].Key \|aval16:=event.AuditKeyValues[16].ValueString \|akey17:=event.AuditKeyValues[17].Key \|aval17:=event.AuditKeyValues[17].ValueString \|akey18:=event.AuditKeyValues[18].Key \|aval18:=event.AuditKeyValues[18].ValueString \|akey19:=event.AuditKeyValues[19].Key \|aval19:=event.AuditKeyValues[19].ValueString \|akey20:=event.AuditKeyValues[20].Key \|aval20:=event.AuditKeyValues[20].ValueString \|rename(metadata.customerIDString, as="Customer ID")\|User := rename(event.UserId)\|UserIP := rename(event.UserIp) \|Service:=event.ServiceName \|Operation:=event.OperationName\|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])	`Table`
Blocked Requests - Inbound	Displays a list of blocked inbound access requests using metadata. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent event.RuleId=3\|count()`	`Gauge`
Identity Protection Events	Displays a list of identity protection events. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=IdentityProtectionEvent\|count()`	`Gauge`
Events over time	Displays a list of events over time Hide Query Show Query Explain Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`
Inbound Blocked Requests	Displays a flowchart of inbound blocked requests from remote address to local address. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=FirewallMatchEvent \| event.RuleId = 3\|sankey(source=event.RemoteAddress, target=event.LocalAddress)`	`Sankey`

User Activity

The CrowdStrike SIEM Connector User Activity dashboard provides comprehensive visibility into user behavior, authentication events, and account-related activities across the environment. This dashboard facilitates monitoring of user actions, detection of suspicious behavior patterns, and tracking of authentication anomalies.

Widget	Description	Type
Policy events	Displays a list policy events and associated data. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| e metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| count()`	`Gauge`
Policty events by Users	Displays aggregated, policy-related events by user using metadata. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\| event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \|User:=event.UserId\|groupby(User)\|events:=rename(_count)`	`Pie Chart`
User Activity by ServiceName	Displays a chart of user activity by username. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|metadata.customerIDString = ?cid\|groupby(event.ServiceName)`	`Bar Chart`
Policy events types	Displays a pie chart of policy events by type using audit data. Hide Query Show Query Explain Query logscale `metadata.eventType = UserActivityAuditEvent \| metadata.customerIDString = ?cid\|event.OperationName =~ in(values=["create_policy","update_policy","assign_policy","enable_policy","remove_policy","disable_policy","delete_policy","update_precedence"]) \| groupby(event.OperationName)`	`Pie Chart`
Events by eventtype	Displays a chart of events by event type using metadata. Hide Query Show Query Explain Query logscale `metadata.customerIDString = ?cid\|metadata.eventType!=ReconNotificationSummary*\|groupBy(metadata.eventType)`	`Bar Chart`
Activity by Operations	Displays a pie chart of user activity by operation name. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=UserActivityAuditEvent\|groupBy("event.OperationName")`	`Pie Chart`
User Activity Events	Displays user activity events using customer IDS string. Hide Query Show Query Explain Query logscale `* \| metadata.eventType=UserActivityAuditEvent\| metadata.customerIDString = ?cid\|count()`	`Gauge`
User Activity Events	Displays a table of user activity events and associated data (customer ID, user ID, service, operation). Hide Query Show Query Explain Query logscale metadata.eventType = UserActivityAuditEvent \| event.OperationName = *\| metadata.customerIDString = ?cid\|akey0:=event.AuditKeyValues[0].Key \|aval0:=event.AuditKeyValues[0].ValueString \|akey1:=event.AuditKeyValues[1].Key \|aval1:=event.AuditKeyValues[1].ValueString \|akey2:=event.AuditKeyValues[2].Key \|aval2:=event.AuditKeyValues[2].ValueString \|akey3:=event.AuditKeyValues[3].Key \|aval3:=event.AuditKeyValues[3].ValueString \|akey4:=event.AuditKeyValues[4].Key \|aval4:=event.AuditKeyValues[4].ValueString \|akey5:=event.AuditKeyValues[5].Key \|aval5:=event.AuditKeyValues[5].ValueString \|akey6:=event.AuditKeyValues[6].Key \|aval6:=event.AuditKeyValues[6].ValueString \|akey7:=event.AuditKeyValues[7].Key \|aval7:=event.AuditKeyValues[7].ValueString \|akey8:=event.AuditKeyValues[8].Key \|aval8:=event.AuditKeyValues[8].ValueString \|akey9:=event.AuditKeyValues[9].Key \|aval9:=event.AuditKeyValues[9].ValueString \|akey10:=event.AuditKeyValues[10].Key \|aval10:=event.AuditKeyValues[10].ValueString \|akey11:=event.AuditKeyValues[11].Key \|aval11:=event.AuditKeyValues[11].ValueString \|akey12:=event.AuditKeyValues[12].Key \|aval12:=event.AuditKeyValues[12].ValueString \|akey13:=event.AuditKeyValues[13].Key \|aval13:=event.AuditKeyValues[13].ValueString \|akey14:=event.AuditKeyValues[14].Key \|aval14:=event.AuditKeyValues[14].ValueString \|akey15:=event.AuditKeyValues[15].Key \|aval15:=event.AuditKeyValues[15].ValueString \|akey16:=event.AuditKeyValues[16].Key \|aval16:=event.AuditKeyValues[16].ValueString \|akey17:=event.AuditKeyValues[17].Key \|aval17:=event.AuditKeyValues[17].ValueString \|akey18:=event.AuditKeyValues[18].Key \|aval18:=event.AuditKeyValues[18].ValueString \|akey19:=event.AuditKeyValues[19].Key \|aval19:=event.AuditKeyValues[19].ValueString \|akey20:=event.AuditKeyValues[20].Key \|aval20:=event.AuditKeyValues[20].ValueString \|rename(metadata.customerIDString, as="Customer ID")\|User := rename(event.UserId)\|UserIP := rename(event.UserIp) \|Service:=event.ServiceName \|Operation:=event.OperationName\|table([@timestamp,"Customer ID",User,UserIP,Service,Operation,akey0,aval0,akey1,aval1,akey2,aval2,akey3,aval3,akey4,aval4,akey5,aval5,akey6,aval6,akey7,aval7,akey8,aval8,akey9,aval9,akey10,aval10])	`Table`
Events over time	Displays a list of events over time Hide Query Show Query Explain Query logscale `metadata.eventType!=ReconNotificationSummary* \|metadata.customerIDString = ?cid\|timechart(span=5m,metadata.eventType)`	`Time Chart`

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

crowdstrike/siem-connector Dashboards

Detections

Firewall Activity

Summary Dashboard

User Activity

Enter search term