Activity App Walkthrough
This video will walk you through the Activity App on the Falcon user interface.
Activity App Walkthrough
Hi there. In this video, I’m going to walk you through the newly updated Falcon Activity App. The new Activity App now includes more useful information about detections- including usernames, color-coded severities, detection descriptions, and a lot more. We’re going to go over each of these new features in this video.
Now, the first thing to note is that the Detection App from the older UI is now called the Activity App. So, as you can see here we are now logged into the new Falcon UI and we are already in the Activity App. This is the defaulted app that will load when you first log into the UI. So, let’s get started.
First, a little orientation to the new Activity App. At the top of the page, you’ll see our new filter bar. This filter bar will let you filter the information that you’re seeing on the page based on time and status, severity, scenario, assigned to, host name, and triggering file. These filters can be set by using a combination of any of these fields and values. You’ll see this filter bar across multiple apps in the Falcon UI- including the Activity App the Falcon App and the Intelligence App. For more details on how to best use this filter bar, please refer to the filter bar feature video.
Now, under the filter section you’ll have the detection details for each detection shown you can now see the severity indicator icon, time and date of detection, host involved with the detection, user name associated with the detection, and the assigned user and detection status. This view can be changed by either grouping and or sorting them. The grouping choices will include grouping by host, scenario, severity, hash, command line, or triggering file. You can then further sort by many different options- new to old, old to new, and last updated. These view options introduce a powerful way for you to be able to organize your detection data.
Now, for each of these detections, you have the ability to assign both user and its status. You can do this to one or more events by first selecting the event check box and then clicking on the update and assign option. You’ll also note an icon with a specific color and label is associated with each event. These colors represent the severity of the scenario and will range from blue for information, yellow for low, orange for medium, red for high, and pink for critical. These colors will help make it easy to identify and prioritize security events. If you see a green icon, this signifies that the event was prevented. On the far side of the page, there’s an icon that will provide the full detection details. We’ll get into this a little bit later in the video.
Now, by clicking on the detection itself, a detection summary page will open that will provide a quick overview. This will include a process table and execution details. In the process table, there’s list of processes that were triggered as part of this event. For each process, you’ll be able to quickly get a summary of the types and numbers of operations involved with the specific process. This includes network operations, disc operations, DNS requests, registry operations, and process operations. You can click on a specific process to get more details.
On the right side of the screen, you’ll see some additional details about the scenario. At the top of this panel you can assign the user or detection status. You can also begin an event or host search. Clicking on this will take you to our Investigate App. We’ll be covering the Investigate App in a different video.
Next, you can copy the details of the scenario to your clipboard from where you can paste it into any document. You can also add comments to a specific scenario. Now, under this line you can see the host that is associated with this detection, and you can choose whether or not to network contain this host. By clicking on the network contain icon, you can change the network contains status of this host. Once you do, the host will only be able to communicate with CrowdStrike and will no longer be able to communicate to your network or the internet.
If we scroll down a little bit, you can see that there are a number of other details that are provided for the scenario- including execution in operation details. If you want the full details, you can either click on the full detection detail icon at the upper right at this section, or you can click on the full detection details icon found at the end of each detection line. We’ll go ahead and click on the full detection details icon at the top here- and now we’re in the full detection details screen.
On the center part of the screen, you’ll be presented with three possible views. A process treeview, a process table view, or process activity view. By default, you’ll see a process tree as we see here. The process tree will give you a visual representation of the processes that were involved with this event. For each of these processes, we click on the process icon to get details about that process: when it started and other key data points related to its actions such as the disc operation, center operations, registry operations, and command-line histories.
If there’s a green plus icon next to process, this means that the process tree can be further expanded to display the next processes that were involved in the event. As you continue to expand the various process icons, you will soon see of detailed visual representation of each of the processes that were involved with this event and how they are related to one another.
There are four icons above this process to grid. The first one to allow you to save the process tree as a PNG graphics file. The second will allow you to toggle between 2d and 3d perspectives. The third will allow you to fit this entire tree into a single view. The final icon will let you zoom into a specific node.
Ok, now let’s look at this data in a different way. You can also view this data as a process table. In the process table view you’ll see the event chain in a parent-child table format. This is similar to how the older Falcon UI used to display processes. To get a detail on any of these processes, simply click on the individual process line. You can also download a list as a json or CSV formatted file, and you can also select which columns you’d like to display in this table view.
Next, let’s look at the third view. This is the process activity view. When you select this option, you’re given a line-by-line detail of each process- what it did, when it did it, and what detailed area of operations it affected. Again, you can export this list as a json or CSV file. You can also choose which columns to display in this table view.
That’s the overview of the new Activity App. Please refer to our additional videos for more information.
Thanks for watching.
For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Center.Visit the Tech Center