Skip to content

CrowdStrike Security Dashboards

Security monitoring dashboards for CrowdStrike EDR data streams.

Overview

These dashboards provide visibility into CrowdStrike Falcon EDR alerts, incidents, vulnerabilities, and host data. Each dashboard focuses on a specific data stream or security domain.

Note: Based on the Elastic integrations repository dashboards. Licensed under Elastic License 2.0.

Dashboards

Dashboard File Description
Overview overview.yaml High-level entry point with navigation to all CrowdStrike dashboards
Alert alert.yaml Comprehensive alert monitoring with status, severity, IOCs, and network context
Falcon Overview falcon-overview.yaml Falcon incidents with MITRE ATT&CK technique and tactic mapping
FDR Overview fdr-overview.yaml Falcon Data Replicator events and alerts monitoring
Host host.yaml Host device monitoring with OS platform distribution and activity tracking
Vulnerability vulnerability.yaml Vulnerability tracking with severity, status, and confidence breakdowns

Dashboard Definitions

Overview (overview.yaml) 
---
dashboards:
  - id: crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750
    name: '[CrowdStrike] Overview'
    description: High-level overview of CrowdStrike data with navigation to specific dashboards.
    panels:
      - title: Table of Contents
        size:
          w: 7
          h: 41
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            **Overview**
            [FDR](/app/dashboards#/view/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)
            [Falcon](/app/dashboards#/view/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)
            [Alert](/app/dashboards#/view/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)
            [Host](/app/dashboards#/view/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)
            [Vulnerability](/app/dashboards#/view/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5)

            ### Overview
            High-level overview showing FDR alerts, Falcon incidents, and event trends across all CrowdStrike data streams.
      - title: FDR Alerts
        size:
          w: 7
          h: 7
        lens:
          type: metric
          data_view: logs-*
          primary:
            aggregation: count
            label: FDR Alerts
            format:
              type: number
              decimals: 0
          filters:
            - field: data_stream.dataset
              equals: crowdstrike.fdr
            - field: event.kind
              equals: alert
      - title: Falcon Incidents
        size:
          w: 7
          h: 7
        lens:
          type: metric
          data_view: logs-*
          primary:
            aggregation: count
            label: Falcon Incidents
            format:
              type: number
              decimals: 0
          filters:
            - field: data_stream.dataset
              equals: crowdstrike.falcon
            - field: crowdstrike.event.Category
              equals: Incidents
      - title: Events over Time by Data Stream
        size:
          w: 27
          h: 21
        lens:
          type: line
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: '@timestamp'
          breakdown:
            field: data_stream.dataset
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: FDR Alert Types
        size:
          w: 7
          h: 14
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: event.action
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
          filters:
            - field: data_stream.dataset
              equals: crowdstrike.fdr
            - field: event.kind
              equals: alert
      - title: Falcon Incident Types
        size:
          w: 7
          h: 14
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: event.action
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
          filters:
            - field: data_stream.dataset
              equals: crowdstrike.falcon
            - field: crowdstrike.event.Category
              equals: Incidents
Alert (alert.yaml) 
---
dashboards:
  - id: crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c
    name: '[Logs CrowdStrike] Alert'
    description: Overview of the CrowdStrike Alert Logs.
    filters:
      - field: data_stream.dataset
        equals: crowdstrike.alert
    panels:
      - title: Table of Contents
        size:
          w: 16
          h: 16
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            [Overview](/app/dashboards#/view/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)
            [FDR](/app/dashboards#/view/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)
            [Falcon](/app/dashboards#/view/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)
            **Alert**
            [Host](/app/dashboards#/view/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)
            [Vulnerability](/app/dashboards#/view/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5)

            ### Overview
            This dashboard shows statistics about the different alerts collected from the CrowdStrike Alert API.
      - title: Alert by Status [Logs CrowdStrike]
        size:
          w: 17
          h: 16
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: crowdstrike.alert.status
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert by OS Platform [Logs CrowdStrike]
        size:
          w: 15
          h: 16
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: host.os.platform
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: User with Highest Alert [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: user.name
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert over Device [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: device.id
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert by Severity [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: crowdstrike.alert.severity
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert over Host IP [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: host.ip
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert over Hostname [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: host.hostname
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert over Timestamp [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: line
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: Timestamp
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert over Confidence [Logs CrowdStrike]
        size:
          w: 48
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: Timestamp
          breakdown:
            field: crowdstrike.alert.confidence
            type: values
            size: 5
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert by IOC Source [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: crowdstrike.alert.ioc_source
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert by IOC Type [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: crowdstrike.alert.ioc_type
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Alert by OS Full Name [Logs CrowdStrike]
        size:
          w: 24
          h: 16
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: host.os.full
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Top 10 Source IP [Logs CrowdStrike]
        size:
          w: 24
          h: 16
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: source.ip
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Top 10 Source Domain [Logs CrowdStrike]
        size:
          w: 24
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: source.domain
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Top 10 Destination Domain [Logs CrowdStrike]
        size:
          w: 24
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: destination.domain
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
Falcon Overview (falcon-overview.yaml) 
---
dashboards:
  - id: crowdstrike-ad80a080-821b-11ee-bae0-937af575b750
    name: '[CrowdStrike] Falcon Overview'
    description: Statistics about the different Incidents and events collected from CrowdStrike Falcon.
    filters:
      - field: data_stream.dataset
        equals: crowdstrike.falcon
    panels:
      - title: Table of Contents
        size:
          w: 7
          h: 69
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            [Overview](/app/dashboards#/view/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)
            [FDR](/app/dashboards#/view/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)
            **Falcon**
            [Alert](/app/dashboards#/view/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)
            [Host](/app/dashboards#/view/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)
            [Vulnerability](/app/dashboards#/view/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5)

            ### Overview
            This dashboard shows statistics about the different Incidents and events collected from CrowdStrike Falcon.
      - title: Incidents by ECS Category
        size:
          w: 10
          h: 17
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: event.category
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
          filters:
            - field: crowdstrike.event.Category
              equals: Incidents
      - title: Events by Severity
        size:
          w: 10
          h: 17
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: crowdstrike.event.SeverityName
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Events by Technique Name
        size:
          w: 10
          h: 17
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: threat.technique.name
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Events by Tactic Name
        size:
          w: 11
          h: 17
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: threat.tactic.name
              type: values
              size: 10
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Events over Time by Event Type
        size:
          w: 41
          h: 18
        lens:
          type: line
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: '@timestamp'
          breakdown:
            field: event.action
            type: values
            size: 10
            sort:
              by: Activity by Event type
              direction: desc
          metrics:
            - aggregation: count
              label: Activity by Event type
      - title: Top Related Hosts
        size:
          w: 21
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: host.name
            type: values
            size: 10
            sort:
              by: Count of records
              direction: desc
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
      - title: Top Related Users
        size:
          w: 20
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: user.name
            type: values
            size: 10
            sort:
              by: Count of records
              direction: desc
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
FDR Overview (fdr-overview.yaml) 
---
dashboards:
  - id: crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f
    name: '[CrowdStrike] FDR Overview'
    description: Summarised overview for CrowdStrike FDR events.
    filters:
      - field: data_stream.dataset
        equals: crowdstrike.fdr
    panels:
      - title: Table of Contents
        size:
          w: 7
          h: 57
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            [Overview](/app/dashboards#/view/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)
            **FDR**
            [Falcon](/app/dashboards#/view/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)
            [Alert](/app/dashboards#/view/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)
            [Host](/app/dashboards#/view/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)
            [Vulnerability](/app/dashboards#/view/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5)

            ### Overview
            This dashboard shows statistics specific to alerts and their different alert types received from CrowdStrike FDR.
      - title: Top Users
        size:
          w: 21
          h: 14
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: user.name
            type: values
            size: 5
            sort:
              by: Count of records
              direction: desc
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
      - title: Top Related Files
        size:
          w: 20
          h: 14
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: file.name
            type: values
            size: 15
            sort:
              by: Count of records
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
      - title: Events over time, By Event Kind
        size:
          w: 20
          h: 19
        lens:
          type: line
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: '@timestamp'
          breakdown:
            field: event.kind
            type: values
            size: 3
            sort:
              by: Events
              direction: desc
          metrics:
            - aggregation: count
              label: Events
              format:
                type: number
                decimals: 0
      - title: Top Event Types
        size:
          w: 10
          h: 19
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: event.action
              type: values
              size: 10
              sort:
                by: Count of records
                direction: desc
              show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
          filters:
            - not:
                field: event.kind
                equals: alert
      - title: Top Alert Types
        size:
          w: 11
          h: 19
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: event.action
              type: values
              size: 10
              sort:
                by: Count of records
                direction: desc
          metrics:
            - aggregation: count
              label: Count of records
              format:
                type: number
                decimals: 0
          filters:
            - field: event.kind
              equals: alert
Host (host.yaml) 
---
dashboards:
  - id: crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c
    name: '[Logs CrowdStrike] Host'
    description: Overview of the CrowdStrike Host Logs.
    filters:
      - field: data_stream.dataset
        equals: crowdstrike.host
    panels:
      - title: Table of Contents
        size:
          w: 14
          h: 17
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            [Overview](/app/dashboards#/view/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)
            [FDR](/app/dashboards#/view/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)
            [Falcon](/app/dashboards#/view/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)
            [Alert](/app/dashboards#/view/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)
            **Host**
            [Vulnerability](/app/dashboards#/view/crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5)

            ### Overview
            This dashboard shows statistics about the different hosts collected from the CrowdStrike Host/Device API.
      - title: Host over OS Platform [Logs CrowdStrike]
        size:
          w: 16
          h: 17
        lens:
          type: pie
          data_view: logs-*
          breakdowns:
            - field: host.os.platform
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Host over Hostname [Logs CrowdStrike]
        size:
          w: 18
          h: 17
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: host.hostname
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Host over Host IP [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: host.ip
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Host over Timestamp [Logs CrowdStrike]
        size:
          w: 24
          h: 15
        lens:
          type: bar
          mode: stacked
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: Timestamp
          breakdown:
            field: device.id
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
Vulnerability (vulnerability.yaml) 
---
dashboards:
  - id: crowdstrike-63da2573-4e68-4e7d-a06b-6858edb60fd5
    name: '[Logs CrowdStrike] Vulnerability'
    description: Overview of the CrowdStrike Vulnerability Logs.
    filters:
      - field: data_stream.dataset
        equals: crowdstrike.vulnerability
    panels:
      - title: Table of Contents
        size:
          w: 11
          h: 31
        markdown:
          content: |
            ## **CrowdStrike**

            ### Navigation
            [Overview](/app/dashboards#/view/crowdstrike-e64e8fe0-8210-11ee-bae0-937af575b750)
            [FDR](/app/dashboards#/view/crowdstrike-a4972bc0-fb53-11eb-abed-07307b3f2b0f)
            [Falcon](/app/dashboards#/view/crowdstrike-ad80a080-821b-11ee-bae0-937af575b750)
            [Alert](/app/dashboards#/view/crowdstrike-d8070b00-99b3-11ee-bf4d-afbc95e0486c)
            [Host](/app/dashboards#/view/crowdstrike-2921b7f0-99b5-11ee-bf4d-afbc95e0486c)
            **Vulnerability**

            ### Overview
            This dashboard shows detailed statistics and visualizations of ingested logs related to vulnerabilities detected by CrowdStrike.
            It provides an overview of vulnerabilities over time and highlights the top 10 vulnerabilities and most affected hosts. The dashboard also breaks down vulnerabilities by severity, status, and confidence levels to aid in risk assessment and prioritization.
          links_in_new_tab: true
      - title: Vulnerability over time [Logs CrowdStrike]
        size:
          w: 37
          h: 15
        lens:
          type: line
          data_view: logs-*
          dimension:
            field: '@timestamp'
            type: date_histogram
            label: Time
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Top 10 Vulnerability [Logs CrowdStrike]
        size:
          w: 19
          h: 16
        lens:
          type: bar
          data_view: logs-*
          dimension:
            field: vulnerability.id
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Top 10 Host [Logs CrowdStrike]
        size:
          w: 18
          h: 16
        lens:
          type: bar
          data_view: logs-*
          dimension:
            field: host.name
            type: values
            size: 10
            sort:
              by: Count
              direction: desc
            show_other_bucket: false
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Vulnerability by Severity [Logs CrowdStrike]
        size:
          w: 16
          h: 16
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: vulnerability.severity
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
              include_missing_values: true
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Vulnerability by Status [Logs CrowdStrike]
        size:
          w: 16
          h: 16
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: crowdstrike.vulnerability.status
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
              include_missing_values: true
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0
      - title: Vulnerability by Confidence [Logs CrowdStrike]
        size:
          w: 16
          h: 16
        lens:
          type: pie
          data_view: logs-*
          appearance:
            donut: medium
          breakdowns:
            - field: crowdstrike.vulnerability.confidence
              type: values
              size: 5
              sort:
                by: Count
                direction: desc
              include_missing_values: true
          metrics:
            - aggregation: count
              label: Count
              format:
                type: number
                decimals: 0

Prerequisites

  • CrowdStrike Falcon: EDR solution with data streaming enabled
  • Elastic Agent: With CrowdStrike integration configured
  • Kibana: Version 8.x or later

Data Requirements

  • Data view: logs-*
  • Data stream datasets: crowdstrike.fdr, crowdstrike.falcon, crowdstrike.alert, crowdstrike.host, crowdstrike.vulnerability

See also: CrowdStrike Modern Dashboards for workflow-centric SOC dashboards.