How to Use Falcon Indicator Graph

Introduction

In this article and video, we will see how the Indicator Graph provides us a visual representation of how indicators map to hosts in our environment as well as CrowdStrike Intelligence data.

Video

Accessing Falcon Indicator Graph

There are three different ways to access the Falcon Indicator Graph.

With Falcon X, quarantined files are automatically sent to the sandbox for analysis. For those detections, you can link directly to an indicator graph from the “Execution Details” under “Sandbox Analysis”. Clicking on the highlighted icon will present a pre-populated indicator graph based on the strict IOC’s associated with the analyzed file.

Indicator graph from detection

 

When you are researching a specific adversary or report, you will also see the option to open the related indicator graph as shown below.

Indicator graph from report

 

Similarly, you can open the indicator graph from within the sandbox report.

 

 

Using the Falcon Indicator Graph Intelligence

The Falcon Indicator Graph allows you to visualize the connections between a given indicator, CrowdStrike’s Intelligence data, and hosts in your environment. This helps speed up investigations while providing valuable context about the potential adversary and larger campaign. On the graph, the indicators are shown in the middle with Intel data to the left and host information to the right.

 

When an indicator is linked to CrowdStrike Intelligence information, it can help you learn about and understand the methods and motivations of adversaries. By clicking on the Intel report icon in this example, you see the connecting lines highlighted. We are also presented with an overview of the report as well as an option to view the complete report. In this example, we learn that the file is attributed to Cobalt Spider.

Looking to the right side of the graph, clicking on the “hosts” icon will expand a list of hosts that have event data containing these particular indicators. Like with Intel, this will highlight the lines connecting that host to the indicators and Intel attributes. You also have the option to expand and see the specific host’s detailed information.

indicator graph hosts

 

Building a Custom Falcon Indicator Graph

You can also start with any indicator(s) and build your own graph. Indicators can be IPs, domains or file hashes. You can access this option from the Indicators App under Intelligence.

create new indicator graph

By clicking on “Create indicator graph” you are prompted with the screen to add your own input.

add indicator

You can also add indicators to an existing graph using the “+” icon outlined below.

Conclusion

Falcon Indicator Graph empowers analysts to quickly visualize incidents, enrich investigations, and take action to improve the organization’s overall security posture.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial