External alerts via API


I am using the /detection_engine/signals/search endpoint to grab detections but this endpoint doesn't include External alerts (eg. Crowdstrike). Is there an endpoint or other method to programmatically collect external alerts?


Hi @Derick_Jansen, thanks for the post!

External alerts are defined as log events that have the ECS field:value of event.kind:alert

These events have no SIEM/Security app detection rule metadata applied to them, so they are more like raw events.

Here are two possible options if you want to grab these external alert events:

  1. Use Elasticsearch API's to access them directly in the indices into which they are ingested.
  2. Create and activate a simple detection engine rule to create a detection alert (aka signal) for each external alert that is received. For example, a custom query rule that uses event.module:crowdstrike AND event.kind:alert, and then continue to use the API endpoint you're using now.

Note, for option 2, when creating the detection rule, you can use the "rule name override" switch, so that an original alert name from Crowdstrike appears as the rule name in the signal document, like this:

Please let us know if this helps.

Also, I'd be interested to know what you're doing with the detection alerts once you pull them using the API?

Mike P.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.