Hi @yosiasz,
Thanks for your response.
Basically, I get the detection IDs list from the first query, and with the second query I get the details of each detection ID. The capability of filter by detection_id is a desired option, yes.
At the end, I managed to get this working by using a variable to get all the detection IDs:
And using it into the query to get the details:
Using UQL Parser, because it was more simple to do the parsing, and in this moment I don’t need alerts:
parse-json
| project "resources"
parse-json
| extend "customer"=strcat('TEST'), "technology"=strcat('EDR - CRW'), "status"=toupper("status"), "assigned_to_name"=toupper("assigned_to_name"), "date_updated"=todatetime("date_updated"), "hostname"="device.hostname", "local_ip"="device.local_ip", "external_ip"="device.external_ip", "tactic"="behaviors[0].tactic", "technique"="behaviors[0].technique", "user_name"="behaviors[0].user_name", "id_new"=split("detection_id",':'), "url"=strcat('https://falcon.crowdstrike.com/activity/detections/detail/',"id_new[1]",'/',"id_new[2]"), "detection_id"=strcat('https://grafana.appliance/d/3oU4r7BVk?orgId=1&var-detection_id=',"detection_id")
The final result is this (I’m not showing the detection_id that I’m using as a variable to create the list):
It’s not clear now for me if I can join additional queries using variables, because now I’m doing an iteration over all detection IDs values with the second query. Additionally, is not clear for me if I’m doing one API query with all the IDs, or one for each ID.
I’m still trying to get this information in a better way with Grafana (for example using the Backend parser, so I can use alerting in the future).
Thanks.
Regards!