https://github.com/crowdstrike/foundry-tutorial-threat-hunting
Create a threat hunting dashboard and set it as your app's home page. Schedule an email to regularly provide the security team with a list of hosts exhibiting suspicious DNS activity.
https://github.com/crowdstrike/foundry-tutorial-threat-hunting
dashboards falcon-foundry workflow-templates
Last synced: 5 months ago
JSON representation
Create a threat hunting dashboard and set it as your app's home page. Schedule an email to regularly provide the security team with a list of hosts exhibiting suspicious DNS activity.
- Host: GitHub
- URL: https://github.com/crowdstrike/foundry-tutorial-threat-hunting
- Owner: CrowdStrike
- License: mit
- Created: 2025-04-15T18:21:32.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2025-05-20T17:50:22.000Z (about 1 year ago)
- Last Synced: 2026-01-25T00:26:15.456Z (5 months ago)
- Topics: dashboards, falcon-foundry, workflow-templates
- Homepage: https://falcon.crowdstrike.com/documentation/page/t2de2d0b/create-a-threat-hunting-dashboard-and-scheduled-report
- Size: 134 KB
- Stars: 1
- Watchers: 4
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README


[](https://reddit.com/r/crowdstrike)
# Threat Hunting tutorial Foundry app
> [!IMPORTANT]
> To view this tutorial and import the app, you need access to the Falcon console.
This code is the result of doing the Falcon Foundry [Create a Threat Hunting Dashboard and Scheduled Report](https://falcon.crowdstrike.com/documentation/page/t2de2d0b/create-a-threat-hunting-dashboard-and-scheduled-report) tutorial.
## Prerequisites
- Falcon Insight XDR or Falcon Prevent (one app)
- Falcon Next-Gen SIEM or Falcon Foundry (1+ apps depending on entitlement)
## Getting Started
1. [Download this repository as a zip file](https://github.com/CrowdStrike/foundry-tutorial-threat-hunting/archive/refs/heads/main.zip).
2. [Log in to the Falcon console](https://falcon.crowdstrike.com/login?unilogin=true) and go to **Foundry** > **App manager**.
3. Click **Import app** and select the zip file you downloaded.
4. Click **Import**.
> [!TIP]
> * If you get an error that the name already exists, change the name to something unique to your CID when importing the app.
> * The [`Suspicious_DNS_Activity_Email.yml`](workflows/Suspicious_DNS_Activity_Email.yml#L3) workflow has `multi_instance` enabled which allows multiple instances of a workflow for the same CID. This configuration is not included in this repo's tutorial.
## Links
This example uses the following CrowdStrike products:
* [Falcon Platform](https://www.crowdstrike.com/platform/)
* [Falcon Foundry](https://www.crowdstrike.com/platform/next-gen-siem/falcon-foundry/)
* [Falcon Fusion SOAR](https://www.crowdstrike.com/platform/next-gen-siem/falcon-fusion/)
## Help
Please post any questions as [issues](https://github.com/CrowdStrike/foundry-tutorial-threat-hunting/issues) in this repo, ask for help in our [CrowdStrike subreddit](https://www.reddit.com/r/crowdstrike/), or post your question to our [Foundry Developer Community](https://community.crowdstrike.com/groups/foundry-developer-community-82).
## Support
The foundry-tutorial-threat-hunting repo is the resulting code from doing the Foundry Create a Threat Hunting Dashboard and Scheduled Report tutorial. While not a formal CrowdStrike product, foundry-tutorial-threat-hunting is maintained by CrowdStrike and supported in partnership with the open source developer community.
## License
MIT, see [LICENSE](LICENSE).