Explore data through Dashboards

A dashboard is a collection of widgets that use the saved searches to display data. Dashboards are a convenient way to monitor events and explore data. Dashboards are a collection of widgets that organize frequently used searches to view activities in the form of graphs and tables of relevant data.

The Overview page provides quick access to some of the most popular dashboards – Security, Network Overview, and Security Posture – as tabs under the page title.

In addition, Investigator provides a set of pre-built Falcon LogScale (Humio) dashboards for common views corresponding to protocols, logs, or specific content collections and detections.

Click More Dashboards on the Overview page to get started and see the landing page for all dashboards.

_images/more-dashboards.png

The Corelight packaged dashboards have both data-related dashboards and security-related dashboards. Some dashboards are new to Investigator.

The available dashboards include:

  • Data - Corelight Conn – Summarizes activity in conn logs, showing analytics of top hosts, services, ports, data transfers, and long-lived connections. The dashboard also includes health monitoring of potentially unavailable services.

  • Data - Corelight DNS – Summarizes host and query information in DNS logs, including details of top query types, reverse queries, queries with no response, queries to non-existent domains, and top hosts.

  • Data - Corelight Exec Overview – Provides a high level overview across multiple log sources summarizing top applications, usernames, websites, services, data transfer, and geographic information.

  • Data - Corelight Files – Provides a summary of files log activity, including information on MIME types, file protocols, file flow, bytes sent and received, and executables.

  • Data - Corelight HTTP – Provides a summary of HTTP log activity, including information on referrers, users, hosts, body length, user agents, host headers, originators, and status codes.

  • Data - Corelight Health Report - Sensor Status – Displays all the sensors that are connected to Investigator and displays sensor status, including log types, connections, and event rates.

  • Data - Corelight SSL – Summarizes information from SSL and x509 logs, including details on ciphers, TLS versions and validation status, certificate summary, and certificate subjects.

  • Data - Corelight Software – Summarizes information in software logs, including a breakdown of top software by connection, and software versions and types.

  • Data - Corelight x509 – Summarizes information in x509 logs, including top and rare subjects and certificate expiration information.

  • Data - Entity Overview – Summarizes the network entities.

  • Data - Key Network Questions – Shows essential network information to answer important questions, including what network technologies are in use, what systems are providing core services/access services/file transfer services, plus bandwidth measurements and conversation tracking.

  • Data - Known Entities – The Known entities logs (including known_users, known_hosts, and known_devices) extract and aggregate behavior for individual network entities. The Known Entities dashboard summarizes the entity behavior across all of these logs.

  • Data - Machine Learning Summary – Provides an overview of all machine learning models producing alerts, including model result output and detection counts.

  • Security - Corelight IP Interrogation – Provides a summary of protocol usage, and information on top connections, services, user agents and ports from conn and http logs.

  • Security - Corelight Intel – Overview of intel logs, including volume over time, indicators, and summary of details.

  • Security - Corelight Log Hunting – Overview of log volume and data across all log sources.

  • Security - Corelight Notice – Overview of Notices, including details on volume of alerts over time and alert categories.

  • Security - Corelight RDP Inference Overview – Provides details inferred from authentication requests to the server in RDP connections. Details include inference type, inferences over time, successful/failed connections, security protocol, and details for connecting users.

  • Security - Corelight SSH Inference Overview – Provides details inferred from SSH login attempts. Details include inference type, inferences over time, HASSH fingerprint details, SSH host key, SSH authentication, SSH auth success, and inference log data.

  • Security - Corelight Suricata – Overview of Suricata alerts, including details on volume of alerts over time and alert categories

  • Security - Corelight VPN Insights – Provides details of VPN protocol connections from the vpn log, including top VPN users and VPN types.

Investigator also includes a set of dashboards with matches to the CrowdStrike Indicator of Compromise (IOC) database.

  • Security - IOC - Overview – Provides a summary of IOC activity and threat details, including threat by confidence, threat attributes, and severity over time.

  • Security - IOC - IP Overview – Displays an IOC dashboard based on IP addresses. The dashboard shows IOC geolocation, threat relationships, threat types, malware, actors, and kill chains.

Consult these Falcon LogScale (Humio) documentation topics to learn more about how to work with and manage dashboards.

Tip

If you frequently use a dashboard, click the star to the left of the dashboard name to mark it as a favorite. Favorites appear at the top of the list.

Create a new dashboard

You can create a new dashboard to match your preferences.

  1. From the Overview page, click More Dashboards.

  2. Click the + New dashboard button.

  3. In the New Dashboard dialog box, choose how to create the dashboard:

    • Empty Dashboard — start from scratch and create an empty blank dashboard. This is the default option, and you are prompted to provide only the name for the dashboard.

    • Duplicate Existing — create a copy of an existing dashboard. You are prompted to pick the dashboard you want to copy.

    • From Template — create a dashboard based on a template generated from another dashboard. You need to drag-and-drop a file or browse your computer to provide the template.

    • From Package — invoke dashboard templates that are part of LogScale packages, provided that such packages are installed in the repository where you want to create the dashboard. For more information on how to install a package and access a package template, see the LogScale documentation for Packages.

  4. Click Create.