Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The CrowdStrikeDetections table contains logs from the CrowdStrike Detections API that have been ingested into Microsoft Sentinel.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time transformation | Yes |
| Sample Queries | Yes |
Columns
| Column | Type | Description |
|---|---|---|
| AdversaryIds | dynamic | List of adversary IDs associated with the detection. |
| AgentScanId | string | Identifier for the agent scan that detected this threat. |
| AllegedFiletype | string | The suspected file type of the malicious file. |
| AssignedToName | string | Name of the user assigned to investigate the detection. |
| AssignedToUid | string | User ID of the assigned investigator. |
| AssignedToUuid | string | UUID of the assigned investigator. |
| Behaviors | dynamic | List of behaviors detected that contributed to this detection. |
| BehaviorsProcessed | dynamic | List of behaviors that have been processed and analyzed. |
| _BilledSize | real | The record size in bytes |
| ChildProcessIds | dynamic | List of child process IDs spawned by the detected process. |
| Cid | string | Customer ID in the CrowdStrike platform. |
| CloudIndicator | bool | Indicates if the detection involves cloud-based indicators. |
| Cmdline | string | Command line used to execute the detected process. |
| CompositeId | string | Composite identifier combining multiple detection attributes. |
| Confidence | int | Confidence score of the detection (0-100). |
| CrawledTimestamp | datetime | Timestamp when the detection data was last crawled. |
| CreatedTimestamp | datetime | Timestamp when the detection was first created. |
| DateUpdated | string | Date when the detection record was last updated. |
| DetectionContext | dynamic | Additional context information about the detection. |
| DetectionId | string | Unique identifier for the detection. |
| DetectionType | string | Type or category of the detection. |
| Device | dynamic | Information about the device where the detection occurred. |
| EmailSent | bool | Indicates if an email notification was sent for this detection. |
| FalconHostLink | string | Link to the detection details in the CrowdStrike Falcon console. |
| Filename | string | Name of the file associated with the detection. |
| Filepath | string | Full path to the file associated with the detection. |
| FirstBehavior | datetime | Timestamp of the first behavior in the detection sequence. |
| GlobalPrevalence | string | Global prevalence rating of the detected file. |
| GrandparentDetails | dynamic | Details about the grandparent process in the process tree. |
| HostInfo | dynamic | Information about the host where the detection occurred. |
| Incident | dynamic | Associated incident information if the detection is part of an incident. |
| IndicatorId | string | Identifier for the indicator of compromise (IOC) that triggered the detection. |
| IocContext | dynamic | Context information about the indicator of compromise. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LastBehavior | datetime | Timestamp of the most recent behavior in the detection. |
| LocalPrevalence | string | Local prevalence rating of the detected file within the organization. |
| LocalProcessId | string | Local process ID on the system where the detection occurred. |
| LogonDomain | string | Domain used for user logon associated with the detection. |
| MaxConfidence | int | Maximum confidence score across all behaviors in the detection. |
| MaxSeverity | int | Maximum severity level across all behaviors in the detection. |
| MaxSeverityDisplayName | string | Text representation of the maximum severity level. |
| Md5 | string | MD5 hash of the detected file. |
| NetworkAccesses | dynamic | List of network connections made by the detected process. |
| OsName | string | Operating system name where the detection occurred. |
| OverwatchNotes | string | Notes added by CrowdStrike Overwatch analysts. |
| ParentDetails | dynamic | Details about the parent process in the process tree. |
| ParentProcessId | string | Process ID of the parent process. |
| PatternDisposition | int | Numerical identifier for the action taken by the detection pattern. |
| PatternDispositionDescription | string | Text description of the pattern disposition action. |
| PatternDispositionDetails | dynamic | Detailed information about the pattern disposition. |
| ProcessEndTime | string | Timestamp when the detected process ended. |
| ProcessId | string | Process ID of the detected process. |
| ProcessStartTime | string | Timestamp when the detected process started. |
| Quarantined | bool | Indicates if the detected file was quarantined. |
| QuarantinedFiles | dynamic | List of files that were quarantined as part of this detection. |
| ScanId | string | Identifier for the scan that detected the threat. |
| SecondsToResolved | int | Time in seconds from detection creation to resolution. |
| SecondsToTriaged | int | Time in seconds from detection creation to triage. |
| Sha1 | string | SHA1 hash of the detected file. |
| Sha256 | string | SHA256 hash of the detected file. |
| ShowInUi | bool | Indicates if the detection should be displayed in the user interface. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Status | string | Current status of the detection (e.g., new, in_progress, resolved). |
| TemplateInstanceId | int | Instance ID of the detection template used. |
| TemplateInterfaceId | int | Interface ID of the detection template. |
| TemplateInterfaceName | string | Name of the detection template interface. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the detection was ingested. |
| TreeId | string | Identifier for the process tree associated with the detection. |
| TreeRoot | string | Root process identifier of the process tree. |
| TriggeringProcessGraphId | string | Graph ID of the process that triggered the detection. |
| Type | string | The name of the table |
| UpdatedTimestamp | datetime | Timestamp when the detection was last updated. |
| UserId | string | User ID associated with the detected process. |
| UserName | string | Username associated with the detected process. |
| UserPrincipal | string | User principal name (UPN) associated with the detected process. |