Skip to main content
Sumo Logic

Install the CrowdStrike Falcon Platform App and view the Dashboards

Install the Sumo Logic App

Once you have configured collection, you can install the Sumo Logic App for CrowdStrike Falcon Platform. The app allows you to analyze CrowdStrike security events by type, status, and detection method. You can use the app to investigate CrowdStrike-specific events and provide operational visibility to team members from pre-configured searches and dashboards, without logging into the CrowdStrike console.

To install the app:

  1. Select App Catalog, search for and select the app, and click Add to Library. (In the classic UI, click Library, click Apps, select the app, and click Install. If you don't find the app under Apps, it might be a preview app. Try clicking Preview to find the app.)
  2. Click Preview Dashboards if you'd like to see a preview of the dashboards included with the app before installing.
  3. In the Install Application dialog box, select the installation path (the default is the Personal folder in the library), or click New Folder to add a new folder.
  4. Select either of these options for the log data source.
  • Choose Select from Existing Source Categories, and select the source catalog from the Source Category list.
  • Choose Enter a Custom Data Filter and enter a custom source category beginning with an underscore. Example: (_sourceCategory=MyCategory).
  1. Click Add to Library.

Once an app is installed, it will appear in your Personal folder, or other folder that you specified. From here, you can share it with your organization. See Welcome to the New Library for information on working with the library in the new UI.

Panels will start to fill automatically. It's important to note that each Panel slowly fills with data matching the time range query and received since the Panel was created. Results won't immediately be available, but with a bit of time, you'll see full graphs and maps. 

Dashboards

CrowdStrike - Overview

Run the CrowdStrike - Overview Dashboard in Live Mode for visibility into your CrowdStrike system.

Events Outlier. Displays the standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hours. The number of events should be within the 3 standard deviation range.

Events Forecast. Shows the number of events historically as well as the projection of 10 minutes into the future in a line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Authentication Services. Provides the number of successful and failed authentications and the type of authentication the operation was requested by in a column chart for the last hour.

Detection Summary by Severity. Displays percentage of severity levels 1, 2, 3, and 4 in a pie chart for the last hour.

Detection Summary by Type. Shows the percentage of events by type in a pie chart for the last hour. For example, AV or network access, etc.

Top 50 Severity with Falcon Links. Provides a table chart of the top 50 events including the Falcon links and severity level for the last hour. Click the link to drill down into your CrowdStrike console for more information.

Severity Definition. This text Panel displays the CrowdStrike definition of severity:

  • 1—Informational. Interesting or suspicious behavior not known to be malicious.
  • 2—Low. Presence of likely unwanted activity, for example, adware.
  • 3—Medium. Malicious activity not known to be targeted.
  • 4—High. Likely targeted attack with potential for widespread impact

Detection Type by Severity. Displays events by severity level in a stacked column chart for the last hour.  

Severity by Detection Type. Shows severity by detection type in a stacked column chart for the last hour.

CrowdStrike - AV Scan Result

The CrowdStrike - AV Scan Result Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend in a stacked column chart on a timeline for every 5 minutes for the last hour.  

Events Outlier. Displays the standard deviation outliers by events distribution over time on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Shows the number of events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Engine by Severity. Provides a detailed view of the severity by engine in a stacked column chart for the last hour.

Host Domain by Severity. Shows the domains contributing to each severity level in a stacked column chart for the last hour.

Engine by Severity. Displays the number of events detected by each AV engine in a column chart for the last hour. The total number per engine is broken down by severity.

Top 50 Hosts by Severity. Displays the hosts with the highest number of severe events in a column chart for the last hour. The sorting order is by severity and host. The higher severity events are displayed at the top of the list.

Top 50 Usernames by Severity. Shows the user name with the highest and largest amount of severe events in a column chart for the last hour. The sorting is by severity and user name.

Top 50 Files by Severity. Provides the files with highest number of severe events in a column chart for the last hour. The sorting is severity by file name.

CrowdStrike - Authentication Service

The CrowdStrike - Authentication Service Dashboard is designed for Live Mode to provide visibility into your CrowdStrike system.

Authentication Over Time. Displays the authentication event distribution trend in a column chart on a timeline over every 5 minutes of time slices for the last three hours.

Authentication Outlier. Shows the standard deviation outliers by authentication events distribution over time on a timeline for the last three hours. The number of events should be within the 3 standard deviation range.

Failed Authentications. Provides failed authentications in a table chart including the time, user name, and the source IP for the last three hours.

Authentication Forecast. Displays the number of authentication events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last three hours. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

CrowdStrike - Detection Summary

The CrowdStrike - Detection Summary Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend in a stacked column chart on a timeline for the last hour.  

Events Outlier. Shows the standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Provides the number of historical events as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Host Domain by Severity. Displays the domain contribution level to each severity level in a stacked column chart for the last hour.

Top 50 Usernames by Severity. Shows the user name with the highest severity level and highest number of severe events in a column chart for the last hour. The sorting is by severity and user name.

Top 50 Messages by Severity. Provides a table chart on the highest number of severe events that includes details on messages, the severity and count. The sorting order is severity by message.

Top 50 Hosts by Severity. Provides the hosts with higher number of severe events in a column chart for the last hour. The sorting order is by severity and host. The higher severity events are displayed at top of the list.

Top 50 Files by Severity. Displays the files with highest number of severe events in a column chart for the last hour. The sorting is severity by file name.

CrowdStrike - DNS Request

The CrowdStrike DNS Request Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend in a stacked column chart on a timeline for the last hour.  

Events Outlier. Shows standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Provides the number of events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Host Domain by Severity. Displays the domains that contribute to each severity level in a stacked column chart for the last hour.

Top 50 Files by Severity. Shows the files with the highest number of severe events in a column chart for the last hour. The sorting is severity by file name.

Top 50 Hosts by Severity. Provides the hosts with higher number of severe events in a column chart for the last hour. The sorting order is by severity and host. The higher severity events are displayed at the top of the list.

Top 50 Usernames by Severity. Displays the user name with the highest severity and highest number of severe events in a column chart for the last hour. The sorting is by severity and user name.

CrowdStrike - Document Access

The CrowdStrike - Document Access Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend of severity over time in a stacked column chart on a timeline for the last hour.  

Events Outlier. Shows the standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Provides the number of events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Host Domain by Severity. Shows the domains contributing to each severity level in a stacked column chart on a timeline for the last hour.

Top 50 Documents Accessed by Severity. Displays accessed documents with the highest number of severe events in a column chart for the last hour. The sorting is severity by document accessed.

Top 50 Hosts by Severity. Shows the hosts with the highest number of severe events. The sorting order is by severity and host. The higher severity events are displayed at the top of the list.

Top 50 Usernames by Severity. Provides the user name with the highest severity and highest number of severe events in a column chart for the last hour. The sorting is by severity and user name.

Top 50 Files by Severity. Displays the files with highest number of severe events in a column chart for the last hour. The sorting is severity by file name.

CrowdStrike - Executable Written

The CrowdStrike - Executable Written Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend of severity over time in a stacked column chart on a timeline for the last hour.  

Events Outlier. Shows the standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Provides the number of events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Host Domain by Severity. Displays the domains contributing to each severity level in a stacked column chart for the last hour.

Top 50 Written Files by Severity. Shows the written files with the highest number of severe events in a column chart for the last hour. The sorting is severity by written file.

Top 50 Hosts by Severity. Provides the hosts with the highest number of severe events. The sorting order is by severity and host. The higher severity events are displayed at the top of the list.

Top 50 Usernames by Severity. Displays the user names with the highest severity level and the highest number of severe events in a column chart for the last hour. The sorting is by severity and user name.

Top 50 Files by Severity. Shows the files with the highest number of severe events in a column chart for the last hour. The sorting is severity by file name.

CrowdStrike - Network Access

The CrowdStrike - Network Access Dashboard includes filters that you can use in Interactive Mode for visibility into your CrowdStrike system.

Severity Over Time. Displays the event distribution trend of severity over time in a stacked column chart on a timeline for the last hour.  

Events Outlier. Shows the standard deviation outliers by events distribution over time in an outlier chart on a timeline for the last hour. The number of events should be within the 3 standard deviation range.

Events Forecast. Provides the number of events historically as well as the projection of 10 minutes into the future in a predict line chart on a timeline for the last hour. If it is trending higher in the future than anticipated, take action to remediate the overflow of events.

Host Domain by Severity. Displays the domains contributing to each severity level in a stacked column chart on a timeline for the last hour.

Top 50 Destination IPs by Severity. Shows the destination IP with the highest number of severe events in a column chart for the last hour. The sorting is severity by destination IP.

Top 50 Hosts by Severity. Provides the hosts with the highest number of severe events in a column chart for the last hour. The sorting order is by severity and host. The higher severity events are displayed at the top of the list.

Top 50 Usernames by Severity. Displays the user name with the highest severity and highest number of severe events. The sorting is by severity and user name.

Top 50 Files by Severity. Shows the files with the highest number of severe events in a column chart for the last hour. The sorting is severity by file name.