How to Use Falcon Indicator Graph
Introduction
In this article and video, we will see how the Indicator Graph provides us a visual representation of how indicators map to hosts in our environment as well as CrowdStrike Intelligence data.
Video
Accessing Falcon Indicator Graph
There are three different ways to access the Falcon Indicator Graph.
With CROWDSTRIKE FALCON® INTELLIGENCE, quarantined files are automatically sent to the sandbox for analysis. For those detections, you can link directly to an indicator graph from the “Execution Details” under “Sandbox Analysis”. Clicking on the highlighted icon will present a pre-populated indicator graph based on the strict IOC’s associated with the analyzed file.
When you are researching a specific adversary or report, you will also see the option to open the related indicator graph as shown below.
Similarly, you can open the indicator graph from within the sandbox report.
Using the Falcon Indicator Graph Intelligence
The Falcon Indicator Graph allows you to visualize the connections between a given indicator, CrowdStrike’s Intelligence data, and hosts in your environment. This helps speed up investigations while providing valuable context about the potential adversary and larger campaign. On the graph, the indicators are shown in the middle with Intel data to the left and host information to the right.
When an indicator is linked to CrowdStrike Intelligence information, it can help you learn about and understand the methods and motivations of adversaries. By clicking on the Intel report icon in this example, you see the connecting lines highlighted. We are also presented with an overview of the report as well as an option to view the complete report. In this example, we learn that the file is attributed to Cobalt Spider.
Looking to the right side of the graph, clicking on the “hosts” icon will expand a list of hosts that have event data containing these particular indicators. Like with Intel, this will highlight the lines connecting that host to the indicators and Intel attributes. You also have the option to expand and see the specific host’s detailed information.
Building a Custom Falcon Indicator Graph
You can also start with any indicator(s) and build your own graph. Indicators can be IPs, domains or file hashes. You can access this option from the Indicators App under Intelligence.
By clicking on “Create indicator graph” you are prompted with the screen to add your own input.
You can also add indicators to an existing graph using the “+” icon outlined below.
Conclusion
Falcon Indicator Graph empowers analysts to quickly visualize incidents, enrich investigations, and take action to improve the organization’s overall security posture.
