CrowdStrike Modern Dashboards¶
Workflow-centric security operations dashboards designed for modern SOC workflows.
Overview¶
Unlike the dataset-centric CrowdStrike dashboards, these modern dashboards are organized by security workflow rather than data source, making them ideal for daily SOC operations.
Dashboards¶
| Dashboard | File | Description |
|---|---|---|
| SOC Dashboard | soc.yaml |
Real-time security event monitoring, alert triage, and incident response coordination |
| Threat Investigation | threat-investigation.yaml |
Deep-dive threat analysis with MITRE ATT&CK mapping and IOC tracking |
| Asset & Vulnerability | asset-vulnerability.yaml |
Asset inventory and vulnerability tracking for risk assessment and patch prioritization |
| Compliance & Audit | compliance-audit.yaml |
Compliance monitoring and audit trail analysis for regulatory reporting |
All dashboards include consistent navigation for seamless workflow transitions.
Dashboard Definitions¶
SOC Dashboard (soc.yaml)
---
dashboards:
- id: crowdstrike-modern-soc-7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
name: '[CrowdStrike Modern] Security Operations Center'
description: Workflow-centric SOC dashboard providing real-time security event monitoring, alert triage, and incident response coordination
across all CrowdStrike data streams.
filters:
- or:
- field: data_stream.dataset
equals: crowdstrike.alert
- field: data_stream.dataset
equals: crowdstrike.falcon
- field: data_stream.dataset
equals: crowdstrike.fdr
controls:
- type: options
label: Host
data_view: logs-*
field: host.name
match_technique: contains
- type: options
label: User
data_view: logs-*
field: user.name
match_technique: contains
- type: options
label: Severity
width: small
data_view: logs-*
field: crowdstrike.alert.severity
match_technique: exact
panels:
# Context Layer - Navigation
- title: Dashboard Navigation
size:
w: 48
h: 4
links:
layout: horizontal
items:
- label: SOC Dashboard
dashboard: crowdstrike-modern-soc-7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
- label: Threat Investigation
dashboard: crowdstrike-modern-investigation-8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
- label: Asset & Vulnerability
dashboard: crowdstrike-modern-assets-9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
- label: Compliance & Audit
dashboard: crowdstrike-modern-compliance-0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
# Summary Layer - Key Metrics
- title: Total Security Events
description: Total security events across all data streams in selected time range
size:
w: 12
h: 8
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Total Events
- title: Critical Alerts
description: Number of critical severity alerts requiring immediate attention
size:
w: 12
h: 8
lens:
type: metric
data_view: logs-*
primary:
aggregation: count
label: Critical Alerts
filters:
- field: crowdstrike.alert.severity
equals: critical
- title: Active Threats
description: Unique threat detections requiring investigation
size:
w: 12
h: 8
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: threat.technique.name
label: Active Threats
filters:
- exists: threat.technique.name
- title: Affected Hosts
description: Number of unique hosts with security events
size:
w: 12
h: 8
lens:
type: metric
data_view: logs-*
primary:
aggregation: unique_count
field: host.name
label: Affected Hosts
# Analysis Layer - Security Events Over Time
- title: Security Events Over Time
description: Time series view of security events showing volume trends and patterns
size:
w: 48
h: 15
lens:
type: area
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
label: Time
breakdown:
field: event.category
type: values
size: 8
sort:
by: Event Count
direction: desc
metrics:
- aggregation: count
label: Event Count
# Analysis Layer - Alert Status Breakdown
- title: Alert Status
description: Distribution of alerts by current status for triage prioritization
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.alert.status
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.alert
# Analysis Layer - Severity Distribution
- title: Alert Severity Distribution
description: Breakdown of alerts by severity level for risk assessment
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.alert.severity
type: values
size: 5
sort:
by: Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.alert
# Analysis Layer - Event Categories
- title: Event Category Distribution
description: Security event types from Falcon detections
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: event.category
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.falcon
# Analysis Layer - Platform Distribution
- title: Affected Platforms
description: Operating system platforms with security events
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: host.os.platform
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Detail Layer - Top Affected Hosts
- title: Top 10 Affected Hosts
description: Hosts with highest security event volume requiring attention
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.name
type: values
size: 10
sort:
by: Event Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Event Count
# Detail Layer - Top Users
- title: Top 10 Users with Security Events
description: Users associated with highest security event volume
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: user.name
type: values
size: 10
sort:
by: Event Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Event Count
Threat Investigation (threat-investigation.yaml)
---
dashboards:
- id: crowdstrike-modern-investigation-8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
name: '[CrowdStrike Modern] Threat Investigation'
description: Deep-dive threat analysis dashboard for investigating detections, mapping MITRE ATT&CK techniques, tracking IOCs, and analyzing
threat actor behavior patterns.
filters:
- or:
- field: data_stream.dataset
equals: crowdstrike.alert
- field: data_stream.dataset
equals: crowdstrike.falcon
controls:
- type: options
label: Threat Technique
data_view: logs-*
field: threat.technique.name
match_technique: contains
- type: options
label: Threat Tactic
data_view: logs-*
field: threat.tactic.name
match_technique: contains
- type: options
label: Severity
width: small
data_view: logs-*
field: crowdstrike.event.SeverityName
match_technique: exact
panels:
# Context Layer - Navigation
- title: Dashboard Navigation
size:
w: 48
h: 4
links:
layout: horizontal
items:
- label: SOC Dashboard
dashboard: crowdstrike-modern-soc-7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
- label: Threat Investigation
dashboard: crowdstrike-modern-investigation-8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
- label: Asset & Vulnerability
dashboard: crowdstrike-modern-assets-9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
- label: Compliance & Audit
dashboard: crowdstrike-modern-compliance-0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
# Analysis Layer - Threat Activity Over Time
- title: Threat Detections Over Time
description: Time series of threat detections showing attack campaign patterns
size:
w: 48
h: 15
lens:
type: area
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
label: Time
breakdown:
field: crowdstrike.event.SeverityName
type: values
size: 5
sort:
by: Detection Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Detection Count
# Analysis Layer - MITRE ATT&CK Techniques
- title: MITRE ATT&CK Techniques
description: Threat techniques observed mapped to MITRE framework
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: threat.technique.name
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- exists: threat.technique.name
# Analysis Layer - MITRE ATT&CK Tactics
- title: MITRE ATT&CK Tactics
description: Threat tactics showing attacker objectives and kill chain stages
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: threat.tactic.name
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- exists: threat.tactic.name
# Analysis Layer - Severity Distribution
- title: Threat Severity Levels
description: Distribution of threat detections by severity for prioritization
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.event.SeverityName
type: values
size: 5
sort:
by: Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.falcon
# Analysis Layer - IOC Sources
- title: IOC Sources
description: Indicator of Compromise sources providing threat intelligence
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.alert.ioc_source
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.alert
# Analysis Layer - IOC Types
- title: IOC Types
description: Types of indicators detected in threat activity
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.alert.ioc_type
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.alert
# Analysis Layer - Event Actions
- title: Threat Event Actions
description: Specific actions taken by threats during attacks
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: event.action
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Detail Layer - Top Source IPs
- title: Top 10 Source IP Addresses
description: External IP addresses with highest threat activity
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: source.ip
type: values
size: 10
sort:
by: Detection Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Detection Count
filters:
- exists: source.ip
# Detail Layer - Top Source Domains
- title: Top 10 Source Domains
description: Malicious domains involved in threat activity
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: source.domain
type: values
size: 10
sort:
by: Detection Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Detection Count
filters:
- exists: source.domain
# Detail Layer - Affected Hosts
- title: Top 10 Compromised Hosts
description: Hosts with highest threat detection volume requiring remediation
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.name
type: values
size: 10
sort:
by: Threat Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Threat Count
# Detail Layer - Target Files
- title: Top 10 Targeted Files
description: Files most frequently targeted or modified by threats
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: file.name
type: values
size: 10
sort:
by: Access Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Access Count
filters:
- exists: file.name
Asset & Vulnerability (asset-vulnerability.yaml)
---
dashboards:
- id: crowdstrike-modern-assets-9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
name: '[CrowdStrike Modern] Asset & Vulnerability Management'
description: Comprehensive asset inventory and vulnerability tracking dashboard for risk assessment, patch prioritization, and security posture
monitoring across the infrastructure.
filters:
- or:
- field: data_stream.dataset
equals: crowdstrike.host
- field: data_stream.dataset
equals: crowdstrike.vulnerability
controls:
- type: options
label: Vulnerability Severity
data_view: logs-*
field: vulnerability.severity
match_technique: exact
- type: options
label: Vulnerability Status
data_view: logs-*
field: crowdstrike.vulnerability.status
match_technique: exact
- type: options
label: OS Platform
width: small
data_view: logs-*
field: host.os.platform
match_technique: exact
panels:
# Context Layer - Navigation
- title: Dashboard Navigation
size:
w: 48
h: 4
links:
layout: horizontal
items:
- label: SOC Dashboard
dashboard: crowdstrike-modern-soc-7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
- label: Threat Investigation
dashboard: crowdstrike-modern-investigation-8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
- label: Asset & Vulnerability
dashboard: crowdstrike-modern-assets-9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
- label: Compliance & Audit
dashboard: crowdstrike-modern-compliance-0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
# Analysis Layer - Vulnerability Trend
- title: Vulnerability Detections Over Time
description: Time series showing vulnerability discovery and remediation trends
size:
w: 48
h: 15
lens:
type: area
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
label: Time
breakdown:
field: vulnerability.severity
type: values
size: 5
sort:
by: Vulnerability Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Vulnerability Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Analysis Layer - Vulnerability Severity
- title: Vulnerability by Severity
description: Risk distribution showing critical, high, medium, and low severity vulnerabilities
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: vulnerability.severity
type: values
size: 5
sort:
by: Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Analysis Layer - Vulnerability Status
- title: Vulnerability Status
description: Current remediation status for patch management tracking
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.vulnerability.status
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Analysis Layer - Vulnerability Confidence
- title: Vulnerability Confidence
description: Detection confidence levels for prioritization
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.vulnerability.confidence
type: values
size: 5
sort:
by: Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Analysis Layer - OS Platform Distribution
- title: Asset Platform Distribution
description: Operating system platforms in the infrastructure
size:
w: 12
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: host.os.platform
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Detail Layer - Top Vulnerabilities
- title: Top 10 Critical Vulnerabilities (CVEs)
description: Most prevalent critical vulnerabilities requiring immediate patching
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: vulnerability.id
type: values
size: 10
sort:
by: Occurrence Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Occurrence Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Detail Layer - Most Vulnerable Hosts
- title: Top 10 Most Vulnerable Hosts
description: Assets with highest vulnerability count requiring remediation
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.name
type: values
size: 10
sort:
by: Vulnerability Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Vulnerability Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.vulnerability
# Detail Layer - OS Versions
- title: Top 10 Operating System Versions
description: Full OS version details for asset inventory and patch planning
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.os.full
type: values
size: 10
sort:
by: Host Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Host Count
format:
type: number
decimals: 0
# Detail Layer - Host IPs
- title: Top 10 Host IP Addresses
description: Network addresses for asset tracking and network segmentation analysis
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.ip
type: values
size: 10
sort:
by: Record Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Record Count
format:
type: number
decimals: 0
Compliance & Audit (compliance-audit.yaml)
---
dashboards:
- id: crowdstrike-modern-compliance-0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
name: '[CrowdStrike Modern] Compliance & Audit'
description: Compliance monitoring and audit trail dashboard for security event tracking, user activity analysis, access patterns, and regulatory
reporting requirements.
filters:
- or:
- field: data_stream.dataset
equals: crowdstrike.alert
- field: data_stream.dataset
equals: crowdstrike.falcon
- field: data_stream.dataset
equals: crowdstrike.fdr
controls:
- type: options
label: Event Action
data_view: logs-*
field: event.action
match_technique: contains
- type: options
label: Event Category
data_view: logs-*
field: event.category
match_technique: exact
- type: options
label: User
width: small
data_view: logs-*
field: user.name
match_technique: contains
panels:
# Context Layer - Navigation
- title: Dashboard Navigation
size:
w: 48
h: 4
links:
layout: horizontal
items:
- label: SOC Dashboard
dashboard: crowdstrike-modern-soc-7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
- label: Threat Investigation
dashboard: crowdstrike-modern-investigation-8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
- label: Asset & Vulnerability
dashboard: crowdstrike-modern-assets-9c0d1e2f-3a4b-5c6d-7e8f-9a0b1c2d3e4f
- label: Compliance & Audit
dashboard: crowdstrike-modern-compliance-0d1e2f3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
# Analysis Layer - Audit Events Over Time
- title: Security Audit Events Over Time
description: Time series of security events for compliance reporting and trend analysis
size:
w: 48
h: 15
lens:
type: area
data_view: logs-*
dimension:
field: '@timestamp'
type: date_histogram
label: Time
breakdown:
field: event.kind
type: values
size: 5
sort:
by: Event Count
direction: desc
metrics:
- aggregation: count
label: Event Count
# Analysis Layer - Event Categories
- title: Event Category Distribution
description: Security event types for compliance categorization
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: event.category
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Analysis Layer - Event Kinds
- title: Event Kind Distribution
description: Event classification for audit trail completeness
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: event.kind
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Analysis Layer - FDR Event Categories
- title: FDR Event Categories
description: Flight Data Recorder event types for detailed system activity
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.event.Category
type: values
size: 10
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.fdr
# Analysis Layer - Alert Status for Compliance
- title: Alert Response Status
description: Alert handling status for incident response compliance
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.alert.status
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.alert
# Analysis Layer - Falcon Status
- title: Falcon Event Status
description: Detection status tracking for compliance reporting
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: crowdstrike.event.Status
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
filters:
- field: data_stream.dataset
equals: crowdstrike.falcon
# Analysis Layer - Platform Coverage
- title: Platform Coverage
description: OS platform distribution for compliance scope verification
size:
w: 16
h: 15
lens:
type: pie
data_view: logs-*
appearance:
donut: medium
breakdowns:
- field: host.os.platform
type: values
size: 8
sort:
by: Count
direction: desc
metrics:
- aggregation: count
label: Count
format:
type: number
decimals: 0
# Detail Layer - Top Event Actions
- title: Top 10 Event Actions
description: Most frequent security actions for audit trail analysis
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: event.action
type: values
size: 10
sort:
by: Action Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Action Count
# Detail Layer - Top Users
- title: Top 10 Users by Activity
description: User activity levels for access pattern analysis
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: user.name
type: values
size: 10
sort:
by: Event Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Event Count
# Detail Layer - Most Active Hosts
- title: Top 10 Most Active Hosts
description: Host activity for system usage and coverage verification
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: host.name
type: values
size: 10
sort:
by: Event Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Event Count
# Detail Layer - Device Activity
- title: Top 10 Devices by Event Volume
description: Device identifiers for endpoint compliance tracking
size:
w: 24
h: 15
lens:
type: bar
data_view: logs-*
dimension:
field: device.id
type: values
size: 10
sort:
by: Event Count
direction: desc
show_other_bucket: false
metrics:
- aggregation: count
label: Event Count
filters:
- exists: device.id
Prerequisites¶
- CrowdStrike Falcon: EDR solution with data streaming enabled
- Elastic Agent: With CrowdStrike integration configured
- Kibana: Version 8.x or later
Data Requirements¶
- Data view:
logs-* - Data stream datasets:
crowdstrike.alert,crowdstrike.falcon,crowdstrike.fdr
Related¶
See also: CrowdStrike Dashboards for dataset-centric dashboards organized by data source.