search cancel

ATP 3.2 Events show the correct MITRE attack information, but Events pulled through the API do not

book

Article ID: 173220

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

When using the ATP REST API, and Splunk Integration, you do not see the same information as is shown on Events in the ATP Event search.

Resolution

This issue is resolved in SEDR 4.0. Event data pulled through the API will show MITRE attack data in the fields "event_actor.signature_level_id", "attacks", "attacks.tactic_ids", "attacks.technique_uid", and "attacks.technique_name".