| _BilledSize |
|
Double |
| _IsBillable |
|
String |
| AdversaryIds |
List of adversary IDs associated with the detection. |
Object |
| AgentScanId |
Identifier for the agent scan that detected this threat. |
String |
| AllegedFiletype |
The suspected file type of the malicious file. |
String |
| AssignedToName |
Name of the user assigned to investigate the detection. |
String |
| AssignedToUid |
User ID of the assigned investigator. |
String |
| AssignedToUuid |
UUID of the assigned investigator. |
String |
| Behaviors |
List of behaviors detected that contributed to this detection. |
Object |
| BehaviorsProcessed |
List of behaviors that have been processed and analyzed. |
Object |
| ChildProcessIds |
List of child process IDs spawned by the detected process. |
Object |
| Cid |
Customer ID in the CrowdStrike platform. |
String |
| CloudIndicator |
Indicates if the detection involves cloud-based indicators. |
Boolean |
| Cmdline |
Command line used to execute the detected process. |
String |
| CompositeId |
Composite identifier combining multiple detection attributes. |
String |
| Confidence |
Confidence score of the detection (0-100). |
Int32 |
| CrawledTimestamp |
Timestamp when the detection data was last crawled. |
DateTime |
| CreatedTimestamp |
Timestamp when the detection was first created. |
DateTime |
| DateUpdated |
Date when the detection record was last updated. |
String |
| DetectionContext |
Additional context information about the detection. |
Object |
| DetectionId |
Unique identifier for the detection. |
String |
| DetectionType |
Type or category of the detection. |
String |
| Device |
Information about the device where the detection occurred. |
Object |
| EmailSent |
Indicates if an email notification was sent for this detection. |
Boolean |
| FalconHostLink |
Link to the detection details in the CrowdStrike Falcon console. |
String |
| Filename |
Name of the file associated with the detection. |
String |
| Filepath |
Full path to the file associated with the detection. |
String |
| FirstBehavior |
Timestamp of the first behavior in the detection sequence. |
DateTime |
| GlobalPrevalence |
Global prevalence rating of the detected file. |
String |
| GrandparentDetails |
Details about the grandparent process in the process tree. |
Object |
| HostInfo |
Information about the host where the detection occurred. |
Object |
| Incident |
Associated incident information if the detection is part of an incident. |
Object |
| IndicatorId |
Identifier for the indicator of compromise (IOC) that triggered the detection. |
String |
| IocContext |
Context information about the indicator of compromise. |
Object |
| LastBehavior |
Timestamp of the most recent behavior in the detection. |
DateTime |
| LocalPrevalence |
Local prevalence rating of the detected file within the organization. |
String |
| LocalProcessId |
Local process ID on the system where the detection occurred. |
String |
| LogonDomain |
Domain used for user logon associated with the detection. |
String |
| MaxConfidence |
Maximum confidence score across all behaviors in the detection. |
Int32 |
| MaxSeverity |
Maximum severity level across all behaviors in the detection. |
Int32 |
| MaxSeverityDisplayName |
Text representation of the maximum severity level. |
String |
| Md5 |
MD5 hash of the detected file. |
String |
| NetworkAccesses |
List of network connections made by the detected process. |
Object |
| OsName |
Operating system name where the detection occurred. |
String |
| OverwatchNotes |
Notes added by CrowdStrike Overwatch analysts. |
String |
| ParentDetails |
Details about the parent process in the process tree. |
Object |
| ParentProcessId |
Process ID of the parent process. |
String |
| PatternDisposition |
Numerical identifier for the action taken by the detection pattern. |
Int32 |
| PatternDispositionDescription |
Text description of the pattern disposition action. |
String |
| PatternDispositionDetails |
Detailed information about the pattern disposition. |
Object |
| ProcessEndTime |
Timestamp when the detected process ended. |
String |
| ProcessId |
Process ID of the detected process. |
String |
| ProcessStartTime |
Timestamp when the detected process started. |
String |
| Quarantined |
Indicates if the detected file was quarantined. |
Boolean |
| QuarantinedFiles |
List of files that were quarantined as part of this detection. |
Object |
| ScanId |
Identifier for the scan that detected the threat. |
String |
| SecondsToResolved |
Time in seconds from detection creation to resolution. |
Int32 |
| SecondsToTriaged |
Time in seconds from detection creation to triage. |
Int32 |
| Sha1 |
SHA1 hash of the detected file. |
String |
| Sha256 |
SHA256 hash of the detected file. |
String |
| ShowInUi |
Indicates if the detection should be displayed in the user interface. |
Boolean |
| SourceSystem |
|
String |
| Status |
Current status of the detection (e.g., new, in_progress, resolved). |
String |
| TemplateInstanceId |
Instance ID of the detection template used. |
Int32 |
| TemplateInterfaceId |
Interface ID of the detection template. |
Int32 |
| TemplateInterfaceName |
Name of the detection template interface. |
String |
| TenantId |
Unique identifier of the tenant into which the data connector ingests data. |
String |
| TimeGenerated |
The timestamp (UTC) when the detection was ingested. |
DateTime |
| TreeId |
Identifier for the process tree associated with the detection. |
String |
| TreeRoot |
Root process identifier of the process tree. |
String |
| TriggeringProcessGraphId |
Graph ID of the process that triggered the detection. |
String |
| Type |
The name of the table |
String |
| UpdatedTimestamp |
Timestamp when the detection was last updated. |
DateTime |
| UserId |
User ID associated with the detected process. |
String |
| UserName |
Username associated with the detected process. |
String |
| UserPrincipal |
User principal name (UPN) associated with the detected process. |
String |