Identity Protection – Building Custom Insights

Summary

In this resource you will learn how to get customized visibility into your environment with CrowdStrike Falcon Identity Protection’s Custom Insight capability.

The Problem

You can’t secure what you don’t understand. You need visibility into your identity landscape to proactively mitigate gaps attackers take advantage of.

Attackers increasingly target identity. CrowdStrike’s Global Threat Report found that 80% of attacks involve compromised credentials. Instead of kicking down a door, with valid credentials they can simply use the key. With valid credentials, attackers can skip stages of the attack lifecycle and reach their end goals even faster.

The Value of Falcon Identity Protection

Get insight into your identity landscape by using CrowdStrike Falcon Identity Protection.

Use Custom Insights to build customized visibility around use cases important to your organization. And, continually monitor important insights to get visibility into changes over time.

Accessing Custom Insights

Start by navigating to the custom insights page. Using the main menu, click the Identity Protection tab. Then, click Custom Insights under the “Monitor” category.

Custom insights give you reusable visibility into your environment based on filters you input. If you’ve already built custom insights, you’ll be able to select, and view, them on this page.

Building Custom Insights

To create a new insight click the New Custom Insight button.

We’ll build out a custom insight as an example that will look for human, administrator accounts with compromised passwords. Falcon Identity Protection detects accounts that have compromised, and/or duplicate passwords that attackers could take advantage of.

Keep in mind this is just one example. You can build custom insights around a variety of security and operations use cases.

To begin building out our example we’ll look for compromised passwords – which is an attribute. Click the attribute dropdown, then click the “include” checkbox next to “compromised password”.

Next, we want to filter by account type. Falcon Identity Protection gives you visibility into what accounts are human, programmatic, and more.

For this custom insight, click the account type dropdown and click the checkbox next to “human”.

Finally, we will filter by privilege. With Falcon Identity Protection you can see all levels of privilege for accounts in your environment – including stealthy admins and more.

Click the privileged dropdown. Then, next to “Domain Level Admins” click the checkbox.

A domain administrator with a compromised password is a serious security risk – if an adversary was able to leverage the account they would have broad access and execution in the environment.

Once filters have been added, click apply to see results. Below are all accounts that are human, domain level admins with compromised passwords.

Saving Custom Insights

After creating a custom insight you can save it for future reuse. Click the three dots next to “apply” to save as a custom insight.

Once saved, the newly created custom insight will be accessible. Click into it on the custom insights page to get a current view of the filtered insight. This will be updated as the environment changes. For example, if the user Bruce Banner resets their password they will be removed from the list.

You can also save a custom insight as a PDF, csv, or a custom report. Custom Reports are accessible under the “enforce” tab and can be run on-demand or scheduled and sent via email to specified administrators.

Conclusion

Get on-demand, up-to-date visibility by using Falcon Identity Protection Custom Insights. Proactive visibility enables you to close security gaps – you can’t secure what you don’t understand, and Falcon Identity Protection gives you deep, high-fidelity insight into your identity landscape.