How to Monitor Intel with Custom Dashboards
Introduction
Threat intelligence is a key component of the Falcon platform. CrowdStrike provides consumable intelligence including actor profiles, alerts and indicators so that organizations can understand the adversary, learn from attacks and take action to improve their overall defenses. With custom dashboards, customers can also design specialized views of that data to facilitate consistent monitoring across multiple job functions and areas of interest.
Video
How to Create Custom Intel Dashboards
Under the “Dashboards” section of the main Falcon menu, there are links to view All, Private, Shared, Preset and Legacy Dashboards. The option to “Create dashboard” appears at the top of each of those pages. Dashboards can be created using multiple sources or a single data source.
Users have the ability to create each widget for the dashboard based on present or custom options.
As an example, the widget below is based on Intelligence Indicators that have been updated in the last week and are specifically related to the actor WIZARD SPIDER. The widget has a custom name and is shown as a stacked bar chart of indicators illustrated by type and day.
How to Use Custom Dashboards
For a specific use case, we will look to the 2021 Global Threat Report where WIZARD SPIDER was the most reported eCrime adversary for the second year in a row. WIZARD SPIDER was behind a number of Conti and Ryuk ransomware attacks including many that impacted US healthcare organizations.
As always, CrowdStrike customers can turn to the actor profile to learn even more about WIZARD SPIDER. The profile confirms that this is a criminal group based in Eastern Europe targeting a number of countries and industries including US healthcare. Also, WIZARD SPIDER has been known to exploit two different CVE’s that have open vulnerabilities within this organization.
The custom dashboard shown below provides a healthcare company quick access to the latest intelligence information on WIZARD SPIDER. There are counters to report new Intelligence reports as well as the number of attributed Sandport reports. The pie chart illustrates systems vulnerable to the exploited CVE’s from the actor profile, while the top bar graph tracks updated WIZARD SPIDER indicators. Because this actor is known to use ransomware and exfiltrate data, the bar graph on the second row monitors for detections by objective while the donut chart looks specifically at exfiltration detections by operating system. There is also a list of recent Intelligence reports referencing healthcare as a target. Together, this dashboard delivers the latest WIZARD SPIDER intelligence information, while also highlighting open vulnerabilities, where immediate action can be taken to mitigate risk of attack.
Once defined, the dashboards can also be kept private or shared with other users via the settings configuration. Dashboards can also be duplicated and then modified as needed using the preset widgets or custom options.
Closing
CrowdStrike not only provides organizations with actionable intelligence, but also the ability to view that information based on specific job functions or areas of interest. In addition to saving time and resources, custom dashboards inform analysts regarding recent activity and adversary tactics, while helping inform security decisions and reduce overall risk.
