ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

ATP 3.2 Events show the correct MITRE attack information, but Events pulled through the API do not

book

Article ID: 173220

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When using the ATP REST API, and Splunk Integration, you do not see the same information as is shown on Events in the ATP Event search.

Resolution

This issue is resolved in SEDR 4.0. Event data pulled through the API will show MITRE attack data in the fields "event_actor.signature_level_id", "attacks", "attacks.tactic_ids", "attacks.technique_uid", and "attacks.technique_name".