Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The CrowdStrikeDetections table contains logs from the CrowdStrike Detections API that have been ingested into Microsoft Sentinel.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | Security |
| Solutions | SecurityInsights |
| Basic log | Yes |
| Ingestion-time transformation | No |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| AdversaryIds | dynamic | List of identified adversary IDs associated with the detection. |
| AssignedToName | string | Name of the user assigned to handle the detection. |
| AssignedToUid | string | User ID of the assigned user. |
| Behaviors | dynamic | List of suspicious behaviors identified in the detection. |
| BehaviorsProcessed | dynamic | List of processed and analyzed behaviors from the detection. |
| _BilledSize | real | The record size in bytes |
| Cid | string | Customer ID in the CrowdStrike platform. |
| CreatedTimestamp | datetime | Timestamp when the detection was first created. |
| DateUpdated | string | Date when the detection was last updated. |
| DetectionId | string | Unique identifier for the detection. |
| Device | dynamic | Information about the device where the detection occurred. |
| EmailSent | bool | Indicates if an email notification was sent for this detection. |
| FirstBehaviorTime | datetime | Timestamp of the first suspicious behavior detected. |
| HostInfo | dynamic | Detailed information about the host system where the detection occurred. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| LastBehavior | datetime | Timestamp of the most recent suspicious behavior detected. |
| MaxConfidence | int | Highest confidence score assigned to any behavior in the detection. |
| MaxSeverity | int | Highest severity level assigned to any behavior in the detection. |
| MaxSeverityDisplayName | string | Text representation of the highest severity level. |
| OverwatchNotes | string | Notes added by CrowdStrike Overwatch team regarding the detection. |
| QuarantinedFiles | dynamic | List of files that were quarantined as part of the detection. |
| SecondsToResolved | int | Time in seconds from detection creation to resolution. |
| SecondsToTriaged | int | Time in seconds from detection creation to triage. |
| ShowInUi | bool | Indicates if the detection should be displayed in the user interface. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| Status | string | Current status of the detection. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the detection event was ingested. |
| Type | string | The name of the table |