DetectionSummaryEvent Data missing from Incident and Detection Monitoring APIs

[dkindlund]

When I compare the data available from the DetectionSummaryEvent within the Event Streaming API versus what's available from the Incident and Detection Monitoring APIs, there seems to be some pretty big gaps -- specifically:

• DnsRequests{}
• DocumentsAccessed{}
• ExecutablesWritten{}
• NetworkAccesses{}
• ScanResults{}

Where is this equivalent data located within the body.resources[] output from the Incident and Detection Monitoring APIs?

Do you have to query the Threat Graph APIs with the corresponding body.resources[].behaviors[].control_graph_id to somehow find this information...?

[jshcodes]

Hi @dkindlund -

These fields will be part of the Event Stream if they are in scope of the event and are called out in the event data dictionary. In all other scenarios these fields will not be present.

Let us know if you have any more questions! 😁

[dkindlund]

Thanks for the initial analysis — let me clarify what I’m talking about further with a practical example:

1. Let’s say a detection was generated on a Falcon sensor that matched an existing anti-virus signature. In that scenario, the DetectionSummaryEvent data would have the ScanResults{} section set, where the malware name would be listed in the ScanResults{}.ResultName value

2. Then, let’s assume enough time has elapsed where this record is no longer accessible in the Event Stream API (maybe longer than 60 days, perhaps?)

3. Now, we want to try to obtain this record from the Incident and Detection Monitoring APIs — where would we go to look for the equivalent ScanResults{}.ResultName value?

Does this make sense as to what I am asking? Please let me know if any of my assumptions are incorrect.

Thank you for your time!

[jshcodes]

I pulled this from the documentation -

Note that not all Detection Summary events will include all fields.

For example, if there is no network activity, then there won't be any of the NetworkAccesses fields. If there is no AV detection, then there won't be any of the ScanResults fields. It is possible to receive multiple detections with the same detection ID if multiple malicious behaviors were detected. Each additional behavior will generate a separate detection summary event with the same detection ID, and will have its own offset value.

Reading this, it looks like if you've not already stored the scan detail from Event Streams, and are querying for it from the Detections API, you might have to review multiple detection events (with the same detection ID) to find the fields you are after.

[dkindlund]

Perfect, thanks!