Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The CrowdStrikeCases table contains logs from the CrowdStrike Cases API that have been ingested into Microsoft Sentinel.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time DCR support | No |
| Lake-only ingestion | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AnalysisResults | dynamic | The results of analyzing the case evidence (alerts, cloud_assets, events, files, hosts, users). |
| AssignedTo | dynamic | Details about the user who is currently assigned to the case. |
| _BilledSize | real | The record size in bytes |
| Cid | string | The unique customer account ID that the case belongs to. |
| Consistency | dynamic | Background processing details associated with updates made to the case. |
| CreatedBy | dynamic | Details about the user who created the case. |
| CreatedTimestamp | datetime | The date and time the case was created. |
| Description | string | The user-provided description of the case. |
| EndTimestamp | datetime | The date and time the case was ended. |
| Evidence | dynamic | Evidence associated with the case (alerts, events). |
| Id | string | The unique ID of the case. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LastUpdatedBy | dynamic | Details about the user who last updated the case. |
| Name | string | The user-defined case name. |
| Severity | int | The current user-provided severity rating of the case (1-100). |
| SeverityInfo | dynamic | Additional information about the severity of the case. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| StartTimestamp | datetime | The date and time the case was started. |
| Status | string | The current status of the case (new, closed, in_progress, reopened). |
| Tags | dynamic | A list of user-defined labels applied to the case. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the host data was ingested. |
| Type | string | The name of the table |
| UpdatedTimestamp | datetime | The date and time the case was last updated. |
| Version | int | The current case version. |