Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Reference for CrowdStrikeDetections table in Azure Monitor Logs.
| Attribute | Value |
|---|---|
| Category | Crowdstrike |
| Basic Logs Eligible | ✓ Yes (source) |
| Supports Transformations | ✓ Yes (source) |
| Ingestion API Supported | ✓ Yes |
| Azure Monitor Tables Reference | View Documentation |
| Azure Monitor Logs Ingestion API | View Documentation |
Source: Azure Monitor documentation
| Column Name | Type | Description |
|---|---|---|
| _BilledSize | real | The record size in bytes |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable isfalseingestion isn't billed to your Azure account |
| AddedPrivileges | dynamic | Privileges added during the detection process. |
| AdversaryIds | dynamic | List of adversary IDs associated with the detection. |
| AgentScanId | string | Identifier for the agent scan that detected this threat. |
| AggregateId | string | Aggregate ID associated with the detection. |
| AllegedFiletype | string | The suspected file type of the malicious file. |
| AssignedToName | string | Name of the user assigned to investigate the detection. |
| AssignedToUid | string | User ID of the assigned investigator. |
| AssignedToUuid | string | UUID of the assigned investigator. |
| Behaviors | dynamic | List of behaviors detected that contributed to this detection. |
| BehaviorsProcessed | dynamic | List of behaviors that have been processed and analyzed. |
| ChildProcessIds | dynamic | List of child process IDs spawned by the detected process. |
| Cid | string | Customer ID in the CrowdStrike platform. |
| CloudIndicator | bool | Indicates if the detection involves cloud-based indicators. |
| Cmdline | string | Command line used to execute the detected process. |
| CompositeId | string | Composite identifier combining multiple detection attributes. |
| Confidence | int | Confidence score of the detection (0-100). |
| CrawledTimestamp | datetime | Timestamp when the detection data was last crawled. |
| CreatedTimestamp | datetime | Timestamp when the detection was first created. |
| DateUpdated | string | Date when the detection record was last updated. |
| Description | string | Description of the detection. |
| DetectionContext | dynamic | Additional context information about the detection. |
| DetectionId | string | Unique identifier for the detection. |
| DetectionType | string | Type or category of the detection. |
| Device | dynamic | Information about the device where the detection occurred. |
| EmailSent | bool | Indicates if an email notification was sent for this detection. |
| EndTime | datetime | Timestamp when the detection ended. |
| Entities | dynamic | Entities associated with the detection. |
| EntityValues | dynamic | Values of the entities associated with the detection. |
| FalconHostLink | string | Link to the detection details in the CrowdStrike Falcon console. |
| Filename | string | Name of the file associated with the detection. |
| Filepath | string | Full path to the file associated with the detection. |
| FirstBehavior | datetime | Timestamp of the first behavior in the detection sequence. |
| GlobalPrevalence | string | Global prevalence rating of the detected file. |
| GrandparentDetails | dynamic | Details about the grandparent process in the process tree. |
| HostInfo | dynamic | Information about the host where the detection occurred. |
| Id | string | Unique identifier for the detection. |
| Incident | dynamic | Associated incident information if the detection is part of an incident. |
| IndicatorId | string | Identifier for the indicator of compromise (IOC) that triggered the detection. |
| IocContext | dynamic | Context information about the indicator of compromise. |
| LastBehavior | datetime | Timestamp of the most recent behavior in the detection. |
| LocalPrevalence | string | Local prevalence rating of the detected file within the organization. |
| LocalProcessId | string | Local process ID on the system where the detection occurred. |
| LogonDomain | string | Domain used for user logon associated with the detection. |
| MaxConfidence | int | Maximum confidence score across all behaviors in the detection. |
| MaxSeverity | int | Maximum severity level across all behaviors in the detection. |
| MaxSeverityDisplayName | string | Text representation of the maximum severity level. |
| Md5 | string | MD5 hash of the detected file. |
| MitreAttack | dynamic | MITRE ATT&CK tactics and techniques associated with the detection. |
| NetworkAccesses | dynamic | List of network connections made by the detected process. |
| Objective | string | Objective associated with the detection. |
| OsName | string | Operating system name where the detection occurred. |
| OverwatchNotes | string | Notes added by CrowdStrike Overwatch analysts. |
| ParentDetails | dynamic | Details about the parent process in the process tree. |
| ParentProcessId | string | Process ID of the parent process. |
| PatternDisposition | int | Numerical identifier for the action taken by the detection pattern. |
| PatternDispositionDescription | string | Text description of the pattern disposition action. |
| PatternDispositionDetails | dynamic | Detailed information about the pattern disposition. |
| PolyId | string | Poly ID associated with the detection. |
| PreviousPrivileges | string | Privileges previously held before the detection process. |
| Privileges | string | Current privileges associated with the detection. |
| ProcessEndTime | string | Timestamp when the detected process ended. |
| ProcessId | string | Process ID of the detected process. |
| ProcessStartTime | string | Timestamp when the detected process started. |
| Quarantined | bool | Indicates if the detected file was quarantined. |
| QuarantinedFiles | dynamic | List of files that were quarantined as part of this detection. |
| References | dynamic | References associated with the detection. |
| ScanId | string | Identifier for the scan that detected the threat. |
| Scenario | string | Scenario associated with the detection. |
| SecondsToResolved | int | Time in seconds from detection creation to resolution. |
| SecondsToTriaged | int | Time in seconds from detection creation to triage. |
| Severity | int | Severity level of the detection. |
| SeverityName | string | Name of the severity level associated with the detection. |
| Sha1 | string | SHA1 hash of the detected file. |
| Sha256 | string | SHA256 hash of the detected file. |
| ShowInUi | bool | Indicates if the detection should be displayed in the user interface. |
| SourceAccountDomain | string | Source account domain associated with the detection. |
| SourceAccountName | string | Source account name associated with the detection. |
| SourceAccountObjectGuid | string | Source account object GUID associated with the detection. |
| SourceAccountObjectSid | string | Source account object SID associated with the detection. |
| SourceAccountSamAccountName | string | Source account SAM account name associated with the detection. |
| SourceAccountUpn | string | Source account UPN associated with the detection. |
| SourceEventModel | string | Source event model associated with the detection. |
| SourceSystem | string | The type of agent the event was collected by. For example,OpsManagerfor Windows agent, either direct connect or Operations Manager,Linuxfor all Linux agents, orAzurefor Azure Diagnostics |
| Status | string | Current status of the detection (e.g., new, in_progress, resolved). |
| Tactic | string | Tactic associated with the detection. |
| TacticId | string | ID of the tactic associated with the detection. |
| TacticIds | dynamic | IDs of the tactics associated with the detection. |
| Tactics | dynamic | Tactics associated with the detection. |
| Technique | string | Technique associated with the detection. |
| TechniqueId | string | ID of the technique associated with the detection. |
| TechniqueIds | dynamic | IDs of the techniques associated with the detection. |
| Techniques | dynamic | Techniques associated with the detection. |
| TemplateInstanceId | int | Instance ID of the detection template used. |
| TemplateInterfaceId | int | Interface ID of the detection template. |
| TemplateInterfaceName | string | Name of the detection template interface. |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The timestamp (UTC) when the detection was ingested. |
| TreeId | string | Identifier for the process tree associated with the detection. |
| TreeRoot | string | Root process identifier of the process tree. |
| TriggeringProcessGraphId | string | Graph ID of the process that triggered the detection. |
| Type | string | The name of the table |
| UpdatedTimestamp | datetime | Timestamp when the detection was last updated. |
| UserId | string | User ID associated with the detected process. |
| UserName | string | Username associated with the detected process. |
| UserPrincipal | string | User principal name (UPN) associated with the detected process. |
| XdrDetectionId | string | XDR detection ID associated with the detection. |
This table is used by the following solutions:
This table is ingested by the following connectors:
| Connector | Selection Criteria |
|---|---|
| CrowdStrike API Data Connector (via Codeless Connector Framework) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊