Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The CrowdStrikeDetections table contains logs from the CrowdStrike Detections API that have been ingested into Microsoft Sentinel.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time DCR support | Yes |
| Lake-only ingestion | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AddedPrivileges | dynamic | Privileges added during the detection process. |
| AdversaryIds | dynamic | List of adversary IDs associated with the detection. |
| AgentScanId | string | Identifier for the agent scan that detected this threat. |
| AggregateId | string | Aggregate ID associated with the detection. |
| AllegedFiletype | string | The suspected file type of the malicious file. |
| AssignedToName | string | Name of the user assigned to investigate the detection. |
| AssignedToUid | string | User ID of the assigned investigator. |
| AssignedToUuid | string | UUID of the assigned investigator. |
| Behaviors | dynamic | List of behaviors detected that contributed to this detection. |
| BehaviorsProcessed | dynamic | List of behaviors that have been processed and analyzed. |
| _BilledSize | real | The record size in bytes |
| ChildProcessIds | dynamic | List of child process IDs spawned by the detected process. |
| Cid | string | Customer ID in the CrowdStrike platform. |
| CloudIndicator | bool | Indicates if the detection involves cloud-based indicators. |
| Cmdline | string | Command line used to execute the detected process. |
| CompositeId | string | Composite identifier combining multiple detection attributes. |
| Confidence | int | Confidence score of the detection (0-100). |
| CrawledTimestamp | datetime | Timestamp when the detection data was last crawled. |
| CreatedTimestamp | datetime | Timestamp when the detection was first created. |
| DateUpdated | string | Date when the detection record was last updated. |
| Description | string | Description of the detection. |
| DetectionContext | dynamic | Additional context information about the detection. |
| DetectionId | string | Unique identifier for the detection. |
| DetectionType | string | Type or category of the detection. |
| Device | dynamic | Information about the device where the detection occurred. |
| EmailSent | bool | Indicates if an email notification was sent for this detection. |
| EndTime | datetime | Timestamp when the detection ended. |
| Entities | dynamic | Entities associated with the detection. |
| EntityValues | dynamic | Values of the entities associated with the detection. |
| FalconHostLink | string | Link to the detection details in the CrowdStrike Falcon console. |
| Filename | string | Name of the file associated with the detection. |
| Filepath | string | Full path to the file associated with the detection. |
| FirstBehavior | datetime | Timestamp of the first behavior in the detection sequence. |
| GlobalPrevalence | string | Global prevalence rating of the detected file. |
| GrandparentDetails | dynamic | Details about the grandparent process in the process tree. |
| HostInfo | dynamic | Information about the host where the detection occurred. |
| Id | string | Unique identifier for the detection. |
| Incident | dynamic | Associated incident information if the detection is part of an incident. |
| IndicatorId | string | Identifier for the indicator of compromise (IOC) that triggered the detection. |
| IocContext | dynamic | Context information about the indicator of compromise. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LastBehavior | datetime | Timestamp of the most recent behavior in the detection. |
| LocalPrevalence | string | Local prevalence rating of the detected file within the organization. |
| LocalProcessId | string | Local process ID on the system where the detection occurred. |
| LogonDomain | string | Domain used for user logon associated with the detection. |
| MaxConfidence | int | Maximum confidence score across all behaviors in the detection. |
| MaxSeverity | int | Maximum severity level across all behaviors in the detection. |
| MaxSeverityDisplayName | string | Text representation of the maximum severity level. |
| Md5 | string | MD5 hash of the detected file. |
| MitreAttack | dynamic | MITRE ATT&CK tactics and techniques associated with the detection. |
| Name | string | Name of the detection. |
| NetworkAccesses | dynamic | List of network connections made by the detected process. |
| Objective | string | Objective associated with the detection. |
| OsName | string | Operating system name where the detection occurred. |
| OverwatchNotes | string | Notes added by CrowdStrike Overwatch analysts. |
| ParentDetails | dynamic | Details about the parent process in the process tree. |
| ParentProcessId | string | Process ID of the parent process. |
| PatternDisposition | int | Numerical identifier for the action taken by the detection pattern. |
| PatternDispositionDescription | string | Text description of the pattern disposition action. |
| PatternDispositionDetails | dynamic | Detailed information about the pattern disposition. |
| PolyId | string | Poly ID associated with the detection. |
| PreviousPrivileges | string | Privileges previously held before the detection process. |
| Privileges | string | Current privileges associated with the detection. |
| ProcessEndTime | string | Timestamp when the detected process ended. |
| ProcessId | string | Process ID of the detected process. |
| ProcessStartTime | string | Timestamp when the detected process started. |
| Quarantined | bool | Indicates if the detected file was quarantined. |
| QuarantinedFiles | dynamic | List of files that were quarantined as part of this detection. |
| References | dynamic | References associated with the detection. |
| ScanId | string | Identifier for the scan that detected the threat. |
| Scenario | string | Scenario associated with the detection. |
| SecondsToResolved | int | Time in seconds from detection creation to resolution. |
| SecondsToTriaged | int | Time in seconds from detection creation to triage. |
| Severity | int | Severity level of the detection. |
| SeverityName | string | Name of the severity level associated with the detection. |
| Sha1 | string | SHA1 hash of the detected file. |
| Sha256 | string | SHA256 hash of the detected file. |
| ShowInUi | bool | Indicates if the detection should be displayed in the user interface. |
| SourceAccountDomain | string | Source account domain associated with the detection. |
| SourceAccountName | string | Source account name associated with the detection. |
| SourceAccountObjectGuid | string | Source account object GUID associated with the detection. |
| SourceAccountObjectSid | string | Source account object SID associated with the detection. |
| SourceAccountSamAccountName | string | Source account SAM account name associated with the detection. |
| SourceAccountUpn | string | Source account UPN associated with the detection. |
| SourceEventModel | string | Source event model associated with the detection. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Status | string | Current status of the detection (e.g., new, in_progress, resolved). |
| Tactic | string | Tactic associated with the detection. |
| TacticId | string | ID of the tactic associated with the detection. |
| TacticIds | dynamic | IDs of the tactics associated with the detection. |
| Tactics | dynamic | Tactics associated with the detection. |
| Technique | string | Technique associated with the detection. |
| TechniqueId | string | ID of the technique associated with the detection. |
| TechniqueIds | dynamic | IDs of the techniques associated with the detection. |
| Techniques | dynamic | Techniques associated with the detection. |
| TemplateInstanceId | int | Instance ID of the detection template used. |
| TemplateInterfaceId | int | Interface ID of the detection template. |
| TemplateInterfaceName | string | Name of the detection template interface. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the detection was ingested. |
| TreeId | string | Identifier for the process tree associated with the detection. |
| TreeRoot | string | Root process identifier of the process tree. |
| TriggeringProcessGraphId | string | Graph ID of the process that triggered the detection. |
| Type | string | The name of the table |
| UpdatedTimestamp | datetime | Timestamp when the detection was last updated. |
| UserId | string | User ID associated with the detected process. |
| UserName | string | Username associated with the detected process. |
| UserPrincipal | string | User principal name (UPN) associated with the detected process. |
| XdrDetectionId | string | XDR detection ID associated with the detection. |