Table: crowdstrike_detection - Query CrowdStrike Detections using SQL
CrowdStrike Detections is a feature within the CrowdStrike Falcon platform that identifies potential threats and incidents. It uses advanced AI and indicator-of-compromise (IOC) sweeps to detect malicious activities and behaviors. CrowdStrike Detections provide detailed information about the threat, including the threat family, tactics, techniques, and procedures (TTPs), allowing for a comprehensive understanding of the threat landscape.
Table Usage Guide
The crowdstrike_detection
table provides insights into threat detections within the CrowdStrike Falcon platform. As a cybersecurity analyst, use this table to explore detailed information about detected threats, including their tactics, techniques, and procedures. Leverage it to gain a comprehensive understanding of the threat landscape, identify potential vulnerabilities, and enhance your organization's security posture.
Examples
Basic info
Explore which detections were made in your system, when they were identified, and the devices they originated from. This is particularly useful for understanding the security landscape of your network and identifying potential vulnerabilities.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detection;
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detection;
List detections from the last 3 months
Explore recent security detections to understand potential vulnerabilities. This query is useful in identifying threats to your system over the past three months, helping to enhance your cybersecurity measures.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detectionwhere created_timestamp > current_date - interval '3 months';
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detectionwhere created_timestamp > date('now', '-3 month');
List detections with a severity
over a threshold
Explore which detections exceed a certain severity level to prioritize your security response. This is particularly useful in large systems where managing and responding to all detections may be overwhelming.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detectionwhere max_severity > 50;
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detectionwhere max_severity > 50;
List detections in devices which belong to a network
Explore which detections are linked to devices within a specific network to manage security threats effectively. This is useful in identifying potential vulnerabilities or breaches within a particular network segment.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, device ->> 'external_ip' as external_ip, network((device ->> 'external_ip') :: INET) as networkfrom crowdstrike_detectionwhere network((device ->> 'external_ip') :: INET) = '119.18.0.0/28';
Error: SQLite does not support CIDR operations.
List open detections
Identify instances where security threats remain unresolved. This query helps in monitoring and managing potential risks by pinpointing open detections in your system.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detectionwhere status = 'open';
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detectionwhere status = 'open';
List open detections from the last 4 days
Determine the areas in which open detections have occurred in the past four days, which can help in identifying potential security threats and ensuring timely response to the same.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detectionwhere status = 'open' and now() - created_timestamp > interval '4 days';
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detectionwhere status = 'open' and julianday('now') - julianday(created_timestamp) > 4;
Get a specific detection
Explore specific security detections by identifying the corresponding device details and status. This is beneficial in scenarios where you need to understand the security status of a particular device and its operating system.
select detection_id, created_timestamp, device ->> 'device_id' as device_id, device ->> 'hostname' as hostname, device ->> 'platform_name' as platform_name, device ->> 'os_version' as os_version, statusfrom crowdstrike_detectionwhere detection_id = 'ldt:6f8d8xxxx5b44xxxxxxxxxxb04e0acfa:423017xxxxxxxxxx41';
select detection_id, created_timestamp, json_extract(device, '$.device_id') as device_id, json_extract(device, '$.hostname') as hostname, json_extract(device, '$.platform_name') as platform_name, json_extract(device, '$.os_version') as os_version, statusfrom crowdstrike_detectionwhere detection_id = 'ldt:6f8d8xxxx5b44xxxxxxxxxxb04e0acfa:423017xxxxxxxxxx41';
Schema for crowdstrike_detection
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
adversary_ids | jsonb | If behaviors or indicators in a detection are attributed to an adversary that is tracked by CrowdStrike Falcon Intelligence, those adversaries will have an ID associated with them. These IDs are found in a detection's metadata which can be viewed using the Detection Details API. | |
assigned_to_name | text | The human-readable name of the user to whom the detection is currently assigned. | |
assigned_to_uid | text | The UID of the user to whom the detection is currently assigned. | |
behaviors | jsonb | Behavorial details of the detection. | |
behaviors_processed | jsonb | The processed behaviors. | |
cid | text | Your organization's customer ID (CID). | |
created_timestamp | timestamp with time zone | >, >=, =, <, <= | Timestamp when this detection was first created. |
detection_id | text | = | The ID of the detection. This ID can be used in conjunction with other APIs, such as the Detection Details API, or the Resolve Detection API. |
device | jsonb | The device where this was detected. | |
email_sent | boolean | Whether email was sent when this was detected. | |
first_behavior | timestamp with time zone | >, >=, =, <, <= | When a detection has more than one associated behavior, this field captures the timestamp of the first behavior. |
host_info | jsonb | Information about the host where this was detected. | |
last_behavior | timestamp with time zone | >, >=, =, <, <= | When a detection has more than one associated behavior, this field captures the timestamp of the last behavior. |
max_confidence | bigint | >, >=, =, <, <= | When a detection has more than one associated behavior with varying confidence levels, this field captures the highest confidence value of all behaviors. Value can be any integer between 1-100. |
max_severity | bigint | >, >=, =, <, <= | When a detection has more than one associated behavior with varying severity levels, this field captures the highest severity value of all behaviors. Value can be any integer between 1-100. |
max_severity_display_name | text | The name used in the UI to determine the severity of the detection. Values include Critical, High, Medium, and Low | |
overwatch_notes | text | Notes from Falcon Overwatch. | |
quarantined_files | jsonb | Files that have been quarantined. | |
seconds_to_resolved | bigint | Time that it took to move a detection from new to one of the resolved states (true_positive, false_positive, and ignored). | |
seconds_to_triaged | bigint | Time that it took to move a detection from new to in_progress. | |
show_in_ui | boolean | Whether this is shown in the User Interface. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | = | The current status of the detection. Values include new, in_progress, true_positive, false_positive, and ignored. |
title | text | Title of the resource. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- crowdstrike
You can pass the configuration to the command with the --config
argument:
steampipe_export_crowdstrike --config '<your_config>' crowdstrike_detection