circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

CrowdStrike Analytics

After Logpoint ingests your logs, you can:

  • Use Search Templates to access and view events.

  • Access and view events through Dashboards.

You can use the following Alert Rules for CrowdStrike:

  • LP_High Serverity EPP

  • LP_Host Generating Multiple High Severity EPP Alert

  • LP_Host Generating Multiple Medium Severity EPP Alert

  • LP_Medium Severity EPP Alert

hashtag
Search Templates

Search Templates are GUI-based search queries that use base queries or placeholders filled in at run time. You can add multiple base queries to a search template and use them to run search queries or create dashboard widgets.

CrowdStrike includes 1 out-of-the-box template:

  • LP_Crowdstrike

1

hashtag
Add the CrowdStrike Search Template

  1. Go to Settings >> KnowledgeBase from the navigation bar and click Search Templates.

  2. Select VENDOR SEARCH TEMPLATES from the drop-down and click LP_Crowdstrike.

  3. In Update Parameters:

    • Select Override widget time range to set a time range.

    • Select Repos.

  4. Click Update.

After updating, the widgets start populating the results. Logpoint forwards you to Search Template View where you can see the dashboards generated from the search.

Update the parameters of the Crowdstrike searcharrow-up-right

An example of Crowdstrike Dashboards where you can view log dataarrow-up-right

hashtag
CrowdStrike Dashboard

Dashboards give you log source data visualization updated in real-time. Out-of-the-box dashboards included with the integration are termed Vendor Dashboards.

CrowdStrike has 1 out-of-the-box dashboard:

  • LP_Crowdstrike

This dashboard consists of the following widgets:

Widgets
Description

Overview

The detected event’s summary with information like Event ID, Category, Source IP, Source Port and Destination IP.

Event Type Distributions

The occurred events summary with information like the date and time of the occurrence, the actual description of the event, the severity of the event and application or process involved.

Detection Update Summary

The detection ID and its status along with assignees information like user, assigned user, source address, assigned to, comment and status.

Top Host Generating Detection

The top 20 hosts that generated the detection of events based on host, log level and event category.

Incident Summary

The summary of an incident based on start and end timestamp, incident duration, state, URL and fine score.

Real Time Response Summary

The real-time response summary based on log timestamp, user, host and command. It allows security administrations to remotely access user systems for administration tasks, remediation actions or forensics collection, without requiring physical access to their system.

Successful User Login Events

The user login events based on user, event category, source address and event timestamp.

Failed User Login Events

The failed login events.

Top 10 Detection by Tactic

The top ten detections associated with each attack category such as execution, command and control and machine learning.

Top 10 Detection by Techniques

The top ten detections associated with attack tag. An attack tag is equivalent to an attack technique like spoofing, used to exploit the vulnerabilities in your system.

Top 10 Detections by Objective

The top ten detections via intent of what an attacker tried to accomplish.

Top 10 Detection by Log Level

The detection of events by log level which can help flag critical issues that need immediate response.

Top 10 Quarantined Files

The top quarantine files from different hosts based on host, file and hash.

Detection Summary

The overall summary of detection based on log timestamp, log level, host, source address, user, attack tag, file, message, IOC type and IOC value.

Host Generating Higher Severity Detection

The vulnerable host generating high or critical severity for the security administrations to prioritize and quickly respond.

1

hashtag
Add the CrowdStrike Dashboard

  1. Go to Settings >> KnowledgeBase from the navigation bar and click Dashboards.

  2. Select VENDOR DASHBOARD from the drop-down.

  3. Click the Use icon from Actions.

  4. Click Choose Repos.

Select the repos for Crowdstrikearrow-up-right

  1. Select the repo to store the logs and click Done.

Select the repo to store the logs and click Donearrow-up-right

  1. Select the dashboard and click Ok.

You can find the CrowdStrike dashboards under Dashboards.

You can find the CrowdStrike dashboards under Dashboards.arrow-up-right

circle-info

We do our best to ensure that the content we provide is complete, accurate and up to date. Logpoint makes no representations or warranties of any kind, express or implied about the documentation. We update it on a best-effort basis.

Last updated

Was this helpful?