CCFA-200 Dashboards and Reports

Dashboards and Reports Detailed Explanation

1. Dashboard Types

Dashboards in Falcon provide real-time visual summaries of activity across your endpoints. They help teams track:

• Detections

• Sensor health

• Policy enforcement

• System coverage

Each dashboard includes graphs, charts, and key metrics that update automatically.

1. Executive Summary Dashboard

Purpose:

Provides high-level visibility for senior leadership.

Key Elements:

• Total detections over time

• Detection severity breakdown (Low, Medium, High, Critical)

• Active hosts and group count

• Sensor deployment coverage

Best For:

• C-level briefings

• Security KPIs

• Audit preparation

2. Detections Overview Dashboard

Purpose:

Shows the volume and trends of detections, helping analysts focus on priority issues.

Key Elements:

• Detections by severity and type

• Top affected hosts

• Detection count over time

• Common processes involved

Best For:

• SOC teams

• Incident tracking

• Identifying hotspots in the environment

3. Endpoint Activity Dashboard

Purpose:

Monitors host behavior and coverage, including sensor status.

Key Elements:

• Active vs inactive endpoints

• Sensor version distribution

• Host check-in status

• Endpoint group activity

Best For:

• IT operations

• Patch and deployment tracking

• Ensuring sensor visibility

4. Sensor Health Dashboard

Purpose:

Focuses on the health and stability of sensors across devices.

Key Elements:

• Hosts with sensor errors

• Hosts without policy

• Hosts not seen in X days

• Sensor installation failures

Best For:

• Troubleshooting

• Sensor maintenance and auditing

• Ensuring full deployment coverage

Summary of Dashboard Types:

Dashboard Name	Primary Use	Audience
Executive Summary	Strategic insights	Management
Detections Overview	Threat visibility	Analysts/SOC
Endpoint Activity	Endpoint behavior/tracking	IT Ops
Sensor Health	Sensor performance checks	Admins/Security

2. Custom Dashboards

Custom dashboards allow you to create your own views tailored to your team’s needs. This feature is especially useful in large organizations where different roles require different data.

1. What Are Custom Dashboards?

A custom dashboard is a user-defined collection of widgets that present filtered data such as:

• Detection trends

• Host activity

• Policy coverage

• Sensor health indicators

Each dashboard can be saved, shared (depending on permissions), and reused.

2. Creating a Custom Dashboard

Step-by-Step:

1. Navigate to Dashboard → Manage Dashboards.

2. Click “Create Dashboard”.

3. Give it a name and optional description.

4. Choose to:

   • Start with a blank layout, or

   • Copy from an existing dashboard.

5. Click “Add Widget” to start building.

3. Types of Widgets You Can Add

Widget Type	What It Shows
Time Series Chart	Detection volume over time
Pie Chart	Detection severity or host distribution
Bar Graph	Top users, processes, host groups
Single Metric	Active hosts, sensor coverage rate
Table View	Detailed list of detections or hosts

4. Filtering Widgets

Widgets can be filtered by:

• Time Range (e.g., last 7 days, custom window)

• Severity Level (Critical, High, Medium, Low)

• Group (e.g., only Finance or HR)

• Host Tags

• Detection Source (Custom IOA, ML, etc.)

Filters let you build role-specific dashboards (e.g., one for finance, another for executives).

5. Saving and Access Control

• Dashboards are saved per user by default.

• Admins can assign or share dashboards with other roles (e.g., read-only viewers).

• You can also set a dashboard as your home page.

6. Use Cases for Custom Dashboards

Audience	Dashboard Purpose
SOC Analyst	View only Critical and High detections in Production
IT Admin	Monitor sensor deployment and failures
Manager	Track total alerts, top infected hosts
Compliance Officer	Show policy assignment by group for audit review

Best Practices:

Tip	Why It Helps
Name dashboards clearly	Makes it easier to navigate in large teams
Use consistent timeframes	Standardizes reporting and alerts
Clone and customize base dashboards	Saves time for department-specific views
Keep dashboards focused	Avoid clutter—use multiple dashboards if needed

3. Report Types

Reports in Falcon provide exportable, structured summaries of activity and configuration data. They support both on-demand insights and scheduled delivery, making them essential for:

• Audit preparation

• Weekly security reviews

• Operational oversight

1. On-Demand Reports

These are generated manually at the time of need.

Common Report Types:

Report Name	Description
Host Inventory Report	List of all hosts, their group, status, OS, sensor version
Detection Report	Summary of detection events over a date range
Policy Assignment Report	Shows which hosts have which policies applied
Sensor Deployment Report	Devices without sensors, failed installations
Real Time Response Usage	Audit of RTR sessions per user/device

Formats Available:

• PDF (best for presentation)

• CSV (best for analysis)

• JSON (for API parsing)

2. Scheduled Reports

These are automatically generated and delivered at defined intervals.

How to Set Up:

1. Navigate to Reports → Scheduled Reports.

2. Click “Create Report”.

3. Choose:

   • Report type

   • Time range (e.g., daily, weekly, monthly)

   • Delivery method (Email, Download)

   • Recipients (specific users or teams)

4. Set delivery schedule (e.g., every Monday at 8:00 AM).

Use Case Examples:

Team	Report	Frequency
Security	Detection overview	Daily
Compliance	Host inventory by group	Weekly
IT Ops	Sensor update status	Monthly

3. Custom Filtering in Reports

Reports can be customized by:

• Timeframe

• Group name

• Detection source

• Severity

• Policy or platform

This allows you to create highly focused reports (e.g., “Critical detections in APAC servers during the past 72 hours”).

4. Access and Permissions

• Only users with report generation or viewing rights can create/view reports.

• Admins can restrict who sees which reports using role-based access control (RBAC).

5. Audit and Archiving

• Reports are downloadable from the Falcon UI or retrievable via API.

• Archived reports can be stored for compliance or forensic review.

Best Practices:

Tip	Benefit
Use CSV for internal analysis	Easier to filter and graph in Excel or BI tools
PDF for leadership summaries	Visually clean and ready for presentation
Automate delivery via schedule	Reduces manual effort and ensures consistency
Match reports to user roles	Keeps information relevant and secure

4. Scheduled Reports

1. What Are Scheduled Reports?

Scheduled reports are automatically generated and delivered reports that follow a defined timing pattern. This allows teams to:

• Stay informed without logging into the Falcon console daily.

• Track trends and anomalies proactively.

• Meet audit or compliance reporting schedules.

2. Setting Up a Scheduled Report (Step-by-Step)

1. Go to Reports → Scheduled Reports.

2. Click “Create Scheduled Report”.

3. Choose:

   • Report Type (e.g., Detection Summary, Host Inventory)

   • Time Range (e.g., past 24 hours, past week)

   • Delivery Schedule (daily, weekly, monthly, or custom)

   • Recipients (users with appropriate permissions)

4. Choose the file format:

   • PDF (easy to read, fixed layout)

   • CSV (data manipulation in Excel)

5. Optional: Add custom filters (e.g., severity ≥ High, group = Finance).

3. Delivery Options

Reports can be:

• Emailed to one or more Falcon users.

• Stored for download from the console.

• Pushed via API to SIEM or logging platforms.

4. Permissions and Access Control

• Only users with the appropriate role permissions can:

  • Create scheduled reports

  • View and download existing reports

• Admins can restrict who receives what report using RBAC.

5. Use Case Examples

Role	Report Type	Frequency	Format
Security Analysts	Critical Detections Report	Daily	CSV
Compliance Officer	Policy Assignment Review	Monthly	PDF
IT Operations	Sensor Deployment Gaps	Weekly	CSV
Executive	Executive Summary Report	Monthly	PDF

6. Managing Scheduled Reports

You can:

• Edit or delete reports at any time.

• View a history of successful and failed deliveries.

• Set expiration policies to auto-disable reports after a period (e.g., 6 months).

• Rotate recipients as team members change roles or responsibilities.

Best Practices:

Tip	Benefit
Keep report scope tight	Avoid overwhelming recipients with too much data
Use PDF for non-technical roles	Provides clarity without needing tools
Use filters to isolate high-value data	Focus on what matters (e.g., only critical alerts)
Review delivery logs monthly	Ensure all reports are working as expected

5. Exporting and Integrations

1. Exporting Reports

Reports generated in the Falcon console can be exported in different formats for:

• Manual review

• Presentation

• Data analysis

• Archival and compliance documentation

Supported Formats:

Format	Best Use
PDF	Readable summaries, board or audit presentations
CSV	Custom data analysis in Excel, Power BI, Tableau
JSON	Integration with automation scripts or external systems

2. Manual Export Steps

1. Go to Reports → Generated Reports or any dashboard view.

2. Select the report or data view.

3. Click “Export”.

4. Choose file format (PDF, CSV, JSON).

5. Download and distribute as needed.

3. Falcon API Integration

CrowdStrike Falcon offers a robust REST API that enables:

• Automated report generation

• Integration with SIEM platforms (e.g., Splunk, QRadar)

• Feeding data into internal dashboards or security platforms

Common Use Cases:

• Pulling detection data into a central threat dashboard

• Exporting host inventory to CMDB tools

• Sending alerts directly to a ticketing system (e.g., ServiceNow)

Example API Calls:

• GET /devices/queries/devices-scroll/v1 – list hosts

• GET /detects/queries/detects/v1 – retrieve detections

• GET /reports/entities/report/v1 – download reports

These require API credentials with scoped permissions.

4. SIEM and SOAR Integration

CrowdStrike integrates with:

• SIEMs like Splunk, LogRhythm, QRadar, Sumo Logic

• SOAR tools like Palo Alto Cortex XSOAR, IBM Resilient, and ServiceNow

These integrations typically use:

• Prebuilt Falcon Connectors or

• Custom API scripts and field mappings

Output includes logs, detections, alerts, and response events.

5. Automating Report Delivery to External Systems

You can:

• Schedule report generation in Falcon.

• Use APIs to fetch and forward the data to:

  • Cloud storage

  • Email servers

  • Dashboards (e.g., Kibana, Grafana)

• Trigger Fusion workflows to act on specific conditions (e.g., send data to a webhook if critical alerts spike)

Best Practices:

Tip	Benefit
Use consistent naming in exported files	Easier to track/report versions
Regularly review API credentials	Maintain security and prevent misuse
Rotate API keys and audit usage	Improve long-term maintainability
Test integrations in sandbox environments	Avoid production disruptions

Dashboards and Reports (Additional Content)

Report selection under pressure: the “question → artifact → action” mapping

Why this matters

In exam items, the difference between a good and great answer is often whether you choose the right evidence source quickly (sensor posture vs audit evidence) and then state what you’ll do next with it.

A fast mapping table you can apply mentally

Use this 3-step mental shortcut:

1. Question type: posture, change, or accountability?

2. Artifact: sensor posture reporting, dashboards, or audit logs?

3. Action: who owns follow-up and what’s the verification cue?

Examples (exam-friendly):

• “Which hosts are unhealthy / not checking in?” → Sensor posture reporting → produce a host list with owners + “last seen” and a next check (connectivity/service/lifecycle).

• “Why did detections spike after yesterday?” → Dashboards for the trend + audit logs for changes → correlate timestamps, identify configuration change, validate scope (which group/policy).

• “Who ran a privileged action?” → Audit logs → identify actor/time/target + require ticket/change reference + governance follow-up.

How to earn points: add a verification cue

Great answers include “how you confirm it’s true,” such as:

• Sample 3 hosts from the report and confirm last seen/status in host details.

• Compare trend window to the exact change timestamp in audit logs.

• Confirm the action is tied to an approved ticket/change and the scope matches.