Threat Hunting tutorial Foundry app

Important

To view this tutorial and import the app, you need access to the Falcon console.

This code is the result of doing the Falcon Foundry Create a Threat Hunting Dashboard and Scheduled Report tutorial.

Prerequisites

• Falcon Insight XDR or Falcon Prevent (one app)
• Falcon Next-Gen SIEM or Falcon Foundry (1+ apps depending on entitlement)

Getting Started

1. Download this repository as a zip file.
2. Log in to the Falcon console and go to Foundry > App manager.
3. Click Import app and select the zip file you downloaded.
4. Click Import.

Tip

• If you get an error that the name already exists, change the name to something unique to your CID when importing the app.
• The Suspicious_DNS_Activity_Email.yml workflow has multi_instance enabled which allows multiple instances of a workflow for the same CID. This configuration is not included in this repo's tutorial.

Links

This example uses the following CrowdStrike products:

• Falcon Platform
• Falcon Foundry
• Falcon Fusion SOAR

Help

Please post any questions as issues in this repo, ask for help in our CrowdStrike subreddit, or post your question to our Foundry Developer Community.

Support

The foundry-tutorial-threat-hunting repo is the resulting code from doing the Foundry Create a Threat Hunting Dashboard and Scheduled Report tutorial. While not a formal CrowdStrike product, foundry-tutorial-threat-hunting is maintained by CrowdStrike and supported in partnership with the open source developer community.

License

MIT, see LICENSE.