Professional Documents
Culture Documents
Falcon Forensics Dashboards
Falcon Forensics Dashboards
Falcon Forensics Dashboards
DASHBOARDS
CROWDSTRIKE UNIVERSITY
PAGE | 02 FALCON FORENSICS DASHBOARDS
OVERVIEW
Once you have successfully deployed the Falcon Forensics binary to the specified endpoints,
the collected information will populate in the Falcon Forensics dashboards.
Host Info Dashboard - Shows the types of artifacts gathered for the system
Quick Wins Dashboard - Shows pre-built panels to help uncover malicious activity
Running processes at the time of collection Shim cache artifacts that have been collected
1. Select your company name from the Company drop down. Most likely, you
can leave this at “All.”
2. Select your collection Ingest time. This is set to All time by default.
Note: There is no data that extends beyond 30 days out because data
automatically deletes after 30 days by default.
3. Click in the Panels text box to view a drop down of available panels.
The Quick Wins Dashboard panels provide a quick way to identify malicious
activity. Additionally, these panels represent techniques that can be used to
analyze and derive value from the Falcon Forensics data and provide hunting
leads that allow you to jump to more information and dive deeper.
Filesystem
Shows evidence of potential attacker tools or malware that may still be on
disk. These queries identify executables in suspicious directories, files
with suspicious file extensions, and rar files with mismatched extensions
among other artifacts.
Known Malware
Shows artifact queries that may uncover evidence of specific malware
families or malicious tools like Mimikatz and Cobalt Strike.
Windows XP
Shows malicious AT scheduled jobs.
Events
Shows example queries that may be used to uncover malicious activity
within the event log artifacts collected by Falcon Forensics. This panel
covers scenarios where an attacker may have installed a malicious service
or started a malicious process on the system.
Registry
Shows registry artifacts showing the use of a persistence technique known
as Event Triggered Execution where an attack attaches a debugger to an
application.
PAGE | 06 FALCON FORENSICS DASHBOARDS
1. Set the Company dropdown. You can most likely leave this at "All."
2. You can display data from either one host or multiple hosts. Select Yes in the
Multi System options to display data from multiple hosts.
3. If you are displaying data from only one host, enter your hostname. If you are
displaying data from multiple hosts, enter their hostnames separating each
hostname with a comma.
Note: You can include all hosts by entering * but be mindful that if you do
so, it could load a lot of data. This could be helpful in a situation where an
attacker is pivoting from system to system, running tools.
5. Select the Span from the drop down to identify how long of a time span
to display.
TIP
This search results in a graphical
display of spikes in activity tied to
the Falcon Forensics modules.
One or no character file names for extensions bat, cmd, ps1, vbs, and vbe, with
noise reduction
sourcetype=dirlist name=*.bat OR name=*.cmd OR name=*.ps1 OR name=*.vbs
OR name=*.vbe | eval file_length=len(name) | where file_length<6 | table
systemname pathname sha256