Explore data through Dashboards

Dashboards are a convenient way to monitor events and explore data. Investigator provides a set of pre-built Falcon LogScale (Humio) dashboards for common views corresponding to protocols, logs, or specific content collections and detections.

Click Dashboards in the left navigation to get started. You can choose a specific dashboard to view, search for a dashboard, or click the Dashboards button to go to the primary landing page for all dashboards.

_images/dashboards-menu.png

The Corelight packaged dashboards have both data-related dashboards and security-related dashboards. Some dashboards are new to Investigator.

The available dashboards include:

  • Data - Corelight Conn – Summarizes activity in conn logs, showing analytics of top hosts, services, ports, data transfers, and long-lived connections. The dashboard also includes health monitoring of potentially unavailable services.

  • Data - Corelight DNS – Summarizes host and query information in DNS logs, including details of top query types, reverse queries, queries with no response, queries to non-existent domains, and top hosts.

  • Data - Corelight Exec Overview – Provides a high level overview across multiple log sources summarizing top applications, usernames, websites, services, data transfer, and geographic information.

  • Data - Corelight Files – Provides a summary of files log activity, including information on MIME types, file protocols, file flow, bytes sent and received, and executables.

  • Data - Corelight HTTP – Provides a summary of HTTP log activity, including information on referrers, users, hosts, body length, user agents, host headers, originators, and status codes.

  • Data - Corelight Health Report - Sensor Status – Displays all the sensors that are connected to Investigator and displays sensor status, including log types, connections, and event rates.

  • Data - Corelight SSL – Summarizes information from SSL and x509 logs, including details on ciphers, TLS versions and validation status, certificate summary, and certificate subjects.

  • Data - Corelight Software – Summarizes information in software logs, including a breakdown of top software by connection, and software versions and types.

  • Data - Corelight x509 – Summarizes information in x509 logs, including top and rare subjects and certificate expiration information.

  • Data - Entity Overview – Summarizes the network entities.

  • Data - Key Network Questions – Shows essential network information to answer important questions, including what network technologies are in use, what systems are providing core services/access services/file transfer services, plus bandwidth measurements and conversation tracking.

  • Data - Known Entities – The Known entities logs (including known_users, known_hosts, and known_devices) extract and aggregate behavior for individual network entities. The Known Entities dashboard summarizes the entity behavior across all of these logs.

  • Data - Machine Learning Summary – Provides an overview of all machine learning models producing alerts, including model result output and detection counts.

  • Security - Corelight IP Interrogation – Provides a summary of protocol usage, and information on top connections, services, user agents and ports from conn and http logs.

  • Security - Corelight Intel – Overview of intel logs, including volume over time, indicators, and summary of details.

  • Security - Corelight Log Hunting – Overview of log volume and data across all log sources.

  • Security - Corelight Notice – Overview of Notices, including details on volume of alerts over time and alert categories.

  • Security - Corelight RDP Inference Overview – Provides details inferred from authentication requests to the server in RDP connections. Details include inference type, inferences over time, successful/failed connections, security protocol, and details for connecting users.

  • Security - Corelight SSH Inference Overview – Provides details inferred from SSH login attempts. Details include inference type, inferences over time, HASSH fingerprint details, SSH host key, SSH authentication, SSH auth success, and inference log data.

  • Security - Corelight Suricata – Overview of Suricata alerts, including details on volume of alerts over time and alert categories

  • Security - Corelight VPN Insights – Provides details of VPN protocol connections from the vpn log, including top VPN users and VPN types.

Investigator also includes a set of dashboards with matches to the CrowdStrike Indicator of Compromise (IOC) database.

  • Security - IOC - Overview – Provides a summary of IOC activity and threat details, including threat by confidence, threat attributes, and severity over time.

  • Security - IOC - IP Overview – Displays an IOC dashboard based on IP addresses. The dashboard shows IOC geolocation, threat relationships, threat types, malware, actors, and kill chains.

Consult these Falcon LogScale (Humio) documentation topics to learn more about how to work with and manage dashboards.

Tip

If you frequently use a dashboard, click the star to the left of the dashboard name to mark it as a favorite. Favorites appear at the top of the list.