Author: sqearl

Previous Step: Apply Token Search, Drilldown & Hide XML Panels Remove NA Values from visualizations You may have removed these values when addressing your filters, but if you haven’t… Take a look at your dashboard visualizations. Look for any “NA” values from the fillnull command. Edit the panel to include | search field!=NA before the … Continue reading "10- Final Aesthetic Touches"

Previous Step: Create & Apply Base Search The next step is to apply your token search to each panel. I do not apply the token search to filters or the base search, just the individual panels. During this run through the XML, I also like to set the drilldown option to “all” on visualizations and  … Continue reading "09- Apply Token Search, Drilldown & Hide XML Panels"

Previous Step: Filters & Tokens At this point, each panel in our dashboard is running it’s own search and our input panels aren’t populating anything. We’ll fix this with a base search.  A base search will limit the resources our panels use to generate data. For example, our current dashboard is running 10+ searches each … Continue reading "08- Create & Apply Base Search"

Previous Step: Search & Dashboard Organization Now that we have our panels created and organized we need to add a few more searches to the dashboard in the form of filters. Not all filters will run a search, but creating dynamic dropdowns will. First thing to do is create a filter search string. Take each … Continue reading "07- Filters & Tokens"

Previous Step: Statistical Count and Timechart Panels When iterating between statistical and timechart commands it’s important to keep a pattern to enable easy organization of panels. For example, If i start with the action field, I’ll create a stats count and time chart count of action. Then maybe we have severity, where i’ll start with … Continue reading "06- Search & Dashboard Organization"

Previous Step: Single Value Panels The purpose of our default dashboards is to enable our customers to start asking questions about their data. As a security analyst I found both statistical and timeline visualization can start to ask more questions about your data. This could translate into more concierge requests, which is the whole idea.  … Continue reading "05- Statistic Count and Timechart Panels"

Previous Step: Multi-Value Fields Now that we’ve established our base search, we can begin to create visualizations for our dashboard. Base Search: index::client* sourcetype::"CrowdStrike:Event:Streams:JSON" cs_event=DetectionSummaryEvent | fillnull value=NA | stats count by _time SeverityName bv_action DetectName DetectDescription user dest_ip dest dest_mac FileName MD5String CommandLine Tactic Technique PatternDispositionDescription PatternDispositionFlags_QuarantineFile  The first panels we create are single … Continue reading "04- Single Value Panels"

Previous Step: Fillnull & Table Command Using the table command will help identify duplicate values being parsed under a single event. To show this, we’ll use wineventlog.  Our search: index=* sourcetype=wineventlog | table _time EventCode ComputerName dest You can see EventCode and ComputerName are duplicate multi-value fields. It’s important to go through and address these … Continue reading "03- Multi-Value Fields"

Previous Step: Data Research Now we want to identify interesting fields associated with cs_event=DetectionSummaryEvent We’ll start by expanding our search to include the fillnull, and table command. Do not execute this search yet, just begin to craft it in the search bar: index=* sourcetype="CrowdStrike:Event:Streams:JSON" cs_event=DetectionSummaryEvent | fillnull value=NA | table If we do not use … Continue reading "02- Fillnull & Table Commands"