| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| AddedPrivileges |
Privileges added during the detection process. |
Object |
| AdversaryIds |
List of adversary IDs associated with the detection. |
Object |
| AgentScanId |
Identifier for the agent scan that detected this threat. |
String |
| AggregateId |
Aggregate ID associated with the detection. |
String |
| AllegedFiletype |
The suspected file type of the malicious file. |
String |
| AssignedToName |
Name of the user assigned to investigate the detection. |
String |
| AssignedToUid |
User ID of the assigned investigator. |
String |
| AssignedToUuid |
UUID of the assigned investigator. |
String |
| Behaviors |
List of behaviors detected that contributed to this detection. |
Object |
| BehaviorsProcessed |
List of behaviors that have been processed and analyzed. |
Object |
| ChildProcessIds |
List of child process IDs spawned by the detected process. |
Object |
| Cid |
Customer ID in the CrowdStrike platform. |
String |
| CloudIndicator |
Indicates if the detection involves cloud-based indicators. |
Boolean |
| Cmdline |
Command line used to execute the detected process. |
String |
| CompositeId |
Composite identifier combining multiple detection attributes. |
String |
| Confidence |
Confidence score of the detection (0-100). |
Int32 |
| CrawledTimestamp |
Timestamp when the detection data was last crawled. |
DateTime |
| CreatedTimestamp |
Timestamp when the detection was first created. |
DateTime |
| DateUpdated |
Date when the detection record was last updated. |
String |
| Description |
Description of the detection. |
String |
| DetectionContext |
Additional context information about the detection. |
Object |
| DetectionId |
Unique identifier for the detection. |
String |
| DetectionType |
Type or category of the detection. |
String |
| Device |
Information about the device where the detection occurred. |
Object |
| EmailSent |
Indicates if an email notification was sent for this detection. |
Boolean |
| EndTime |
Timestamp when the detection ended. |
DateTime |
| Entities |
Entities associated with the detection. |
Object |
| EntityValues |
Values of the entities associated with the detection. |
Object |
| FalconHostLink |
Link to the detection details in the CrowdStrike Falcon console. |
String |
| Filename |
Name of the file associated with the detection. |
String |
| Filepath |
Full path to the file associated with the detection. |
String |
| FirstBehavior |
Timestamp of the first behavior in the detection sequence. |
DateTime |
| GlobalPrevalence |
Global prevalence rating of the detected file. |
String |
| GrandparentDetails |
Details about the grandparent process in the process tree. |
Object |
| HostInfo |
Information about the host where the detection occurred. |
Object |
| Id |
Unique identifier for the detection. |
String |
| Incident |
Associated incident information if the detection is part of an incident. |
Object |
| IndicatorId |
Identifier for the indicator of compromise (IOC) that triggered the detection. |
String |
| IocContext |
Context information about the indicator of compromise. |
Object |
| LastBehavior |
Timestamp of the most recent behavior in the detection. |
DateTime |
| LocalPrevalence |
Local prevalence rating of the detected file within the organization. |
String |
| LocalProcessId |
Local process ID on the system where the detection occurred. |
String |
| LogonDomain |
Domain used for user logon associated with the detection. |
String |
| MaxConfidence |
Maximum confidence score across all behaviors in the detection. |
Int32 |
| MaxSeverity |
Maximum severity level across all behaviors in the detection. |
Int32 |
| MaxSeverityDisplayName |
Text representation of the maximum severity level. |
String |
| Md5 |
MD5 hash of the detected file. |
String |
| MitreAttack |
MITRE ATT&CK tactics and techniques associated with the detection. |
Object |
| Name |
Name of the detection. |
String |
| NetworkAccesses |
List of network connections made by the detected process. |
Object |
| Objective |
Objective associated with the detection. |
String |
| OsName |
Operating system name where the detection occurred. |
String |
| OverwatchNotes |
Notes added by CrowdStrike Overwatch analysts. |
String |
| ParentDetails |
Details about the parent process in the process tree. |
Object |
| ParentProcessId |
Process ID of the parent process. |
String |
| PatternDisposition |
Numerical identifier for the action taken by the detection pattern. |
Int32 |
| PatternDispositionDescription |
Text description of the pattern disposition action. |
String |
| PatternDispositionDetails |
Detailed information about the pattern disposition. |
Object |
| PolyId |
Poly ID associated with the detection. |
String |
| PreviousPrivileges |
Privileges previously held before the detection process. |
String |
| Privileges |
Current privileges associated with the detection. |
String |
| ProcessEndTime |
Timestamp when the detected process ended. |
String |
| ProcessId |
Process ID of the detected process. |
String |
| ProcessStartTime |
Timestamp when the detected process started. |
String |
| Quarantined |
Indicates if the detected file was quarantined. |
Boolean |
| QuarantinedFiles |
List of files that were quarantined as part of this detection. |
Object |
| References |
References associated with the detection. |
Object |
| ScanId |
Identifier for the scan that detected the threat. |
String |
| Scenario |
Scenario associated with the detection. |
String |
| SecondsToResolved |
Time in seconds from detection creation to resolution. |
Int32 |
| SecondsToTriaged |
Time in seconds from detection creation to triage. |
Int32 |
| Severity |
Severity level of the detection. |
Int32 |
| SeverityName |
Name of the severity level associated with the detection. |
String |
| Sha1 |
SHA1 hash of the detected file. |
String |
| Sha256 |
SHA256 hash of the detected file. |
String |
| ShowInUi |
Indicates if the detection should be displayed in the user interface. |
Boolean |
| SourceAccountDomain |
Source account domain associated with the detection. |
String |
| SourceAccountName |
Source account name associated with the detection. |
String |
| SourceAccountObjectGuid |
Source account object GUID associated with the detection. |
String |
| SourceAccountObjectSid |
Source account object SID associated with the detection. |
String |
| SourceAccountSamAccountName |
Source account SAM account name associated with the detection. |
String |
| SourceAccountUpn |
Source account UPN associated with the detection. |
String |
| SourceEventModel |
Source event model associated with the detection. |
String |
| SourceSystem |
|
String |
| Status |
Current status of the detection (e.g., new, in_progress, resolved). |
String |
| Tactic |
Tactic associated with the detection. |
String |
| TacticId |
ID of the tactic associated with the detection. |
String |
| TacticIds |
IDs of the tactics associated with the detection. |
Object |
| Tactics |
Tactics associated with the detection. |
Object |
| Technique |
Technique associated with the detection. |
String |
| TechniqueId |
ID of the technique associated with the detection. |
String |
| TechniqueIds |
IDs of the techniques associated with the detection. |
Object |
| Techniques |
Techniques associated with the detection. |
Object |
| TemplateInstanceId |
Instance ID of the detection template used. |
Int32 |
| TemplateInterfaceId |
Interface ID of the detection template. |
Int32 |
| TemplateInterfaceName |
Name of the detection template interface. |
String |
| TenantId |
Unique identifier of the tenant into which the data connector ingests data. |
String |
| TimeGenerated |
The timestamp (UTC) when the detection was ingested. |
DateTime |
| TreeId |
Identifier for the process tree associated with the detection. |
String |
| TreeRoot |
Root process identifier of the process tree. |
String |
| TriggeringProcessGraphId |
Graph ID of the process that triggered the detection. |
String |
| Type |
The name of the table |
String |
| UpdatedTimestamp |
Timestamp when the detection was last updated. |
DateTime |
| UserId |
User ID associated with the detected process. |
String |
| UserName |
Username associated with the detected process. |
String |
| UserPrincipal |
User principal name (UPN) associated with the detected process. |
String |
| XdrDetectionId |
XDR detection ID associated with the detection. |
String |