From 40e181ab429744c707d40006b79cdc62e95b2fff Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 29 Jul 2025 12:32:58 +0100 Subject: [PATCH 1/4] Analyzer support for CrowdStrike and SentinelOne --- .../investigate/visual-event-analyzer.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md index 0d816d5107..5da8e68a9c 100644 --- a/solutions/security/investigate/visual-event-analyzer.md +++ b/solutions/security/investigate/visual-event-analyzer.md @@ -23,12 +23,19 @@ If you’re experiencing performance degradation, you can [exclude cold and froz ## Find events to analyze [find-events-analyze] -You can only visualize events triggered by hosts configured with the {{elastic-defend}} integration or any `sysmon` data from `winlogbeat`. +You can visualize events from the following sources: -In KQL, this translates to any event with the `agent.type` set to either: +* {{elastic-defend}} integration +* Sysmon data collected through {{winlogbeat}} +* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) +* [SentinelOne Cloud Funnel integration](integration-docs://reference/sentinel_one_cloud_funnel.md) + +In KQL, this translates to any event with the `agent.type` set to: * `endpoint` * `winlogbeat` with `event.module` set to `sysmon` +* TBD for CrowdStrike +* TBD for SentinelOne To find events that can be visually analyzed: @@ -37,13 +44,12 @@ To find events that can be visually analyzed: * Find **Hosts** in the main menu, or search for `Security/Explore/Hosts` by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then select the **Events** tab. A list of all your hosts' events appears at the bottom of the page. * Find **Alerts** in the main menu or by using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then scroll down to the Alerts table. -2. Filter events that can be visually analyzed by entering either of the following queries in the KQL search bar, then selecting **Enter**: +2. Filter events that can be visually analyzed by entering one of the following queries in the KQL search bar, then selecting **Enter**: * `agent.type:"endpoint" and process.entity_id :*` - - Or - * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` + * TBD for CrowdStrike + * TBD for SentinelOne 3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. @@ -75,7 +81,7 @@ Within the visual analyzer, each cube represents a process, such as an executabl To understand what fields were used to create the process, select the **Process Tree** to show the schema that created the graphical view. The fields included are: -* `SOURCE`: Can be either `endpoint` or `winlogbeat` +* `SOURCE`: Indicates the data source—for example, `endpoint` or `winlogbeat` * `ID`: Event field that uniquely identifies a node * `EDGE`: Event field which indicates the relationship between two nodes From 6fc80052da079723bd5d7d3ddb639312e291dc2e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 29 Jul 2025 14:08:04 +0100 Subject: [PATCH 2/4] adds missing info --- solutions/security/investigate/visual-event-analyzer.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md index 5da8e68a9c..5070441b45 100644 --- a/solutions/security/investigate/visual-event-analyzer.md +++ b/solutions/security/investigate/visual-event-analyzer.md @@ -34,8 +34,8 @@ In KQL, this translates to any event with the `agent.type` set to: * `endpoint` * `winlogbeat` with `event.module` set to `sysmon` -* TBD for CrowdStrike -* TBD for SentinelOne +* `filebeat` with `event.module` set to `crowdstrike` +* `filebeat` with `event.module` set to `sentinel_one_cloud_funnel` To find events that can be visually analyzed: @@ -48,8 +48,8 @@ To find events that can be visually analyzed: * `agent.type:"endpoint" and process.entity_id :*` * `agent.type:"winlogbeat" and event.module: "sysmon" and process.entity_id : *` - * TBD for CrowdStrike - * TBD for SentinelOne + * `agent.type:"filebeat" and event.module: "crowdstrike" and process.entity_id : *` + * `agent.type:"filebeat" and event.module: "sentinel_one_cloud_funnel" and process.entity_id : *` 3. Events that can be visually analyzed are denoted by a cubical **Analyze event** icon. Select this option to open the event in the visual analyzer. The event analyzer is accessible from the **Hosts**, **Alerts**, and **Timelines** pages, as well as the alert details flyout. From 6fa424fee3fdd762013c10f0c080be0eaa64c9f4 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 31 Jul 2025 12:15:08 +0100 Subject: [PATCH 3/4] add CS details --- solutions/security/investigate/visual-event-analyzer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md index 5070441b45..6febe2df8f 100644 --- a/solutions/security/investigate/visual-event-analyzer.md +++ b/solutions/security/investigate/visual-event-analyzer.md @@ -27,7 +27,7 @@ You can visualize events from the following sources: * {{elastic-defend}} integration * Sysmon data collected through {{winlogbeat}} -* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) +* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) ([Falcon](integration-docs://reference/crowdstrike.md#falcon) or [FDR](integration-docs://reference/crowdstrike.md#fdr) logs) * [SentinelOne Cloud Funnel integration](integration-docs://reference/sentinel_one_cloud_funnel.md) In KQL, this translates to any event with the `agent.type` set to: From 1ef4eb8c2e68ce4b9d27c67da12e8ef059e4632d Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 31 Jul 2025 14:00:39 +0100 Subject: [PATCH 4/4] update CS details --- solutions/security/investigate/visual-event-analyzer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/investigate/visual-event-analyzer.md b/solutions/security/investigate/visual-event-analyzer.md index 6febe2df8f..a609d06fd5 100644 --- a/solutions/security/investigate/visual-event-analyzer.md +++ b/solutions/security/investigate/visual-event-analyzer.md @@ -27,7 +27,7 @@ You can visualize events from the following sources: * {{elastic-defend}} integration * Sysmon data collected through {{winlogbeat}} -* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) ([Falcon](integration-docs://reference/crowdstrike.md#falcon) or [FDR](integration-docs://reference/crowdstrike.md#fdr) logs) +* [CrowdStrike integration](integration-docs://reference/crowdstrike.md) (Falcon logs collected through Event Stream or FDR) * [SentinelOne Cloud Funnel integration](integration-docs://reference/sentinel_one_cloud_funnel.md) In KQL, this translates to any event with the `agent.type` set to: