This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Crowdstrike Detections Connector doesn't collect detections triggered from OnDemand Scans

Posted on 01-31-2025 08:21 AM
ar3diu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Has anyone else encountered the same issue?

Solved Solved
1 5 443
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
alube
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi @ar3diu 

As far as I know, the OnDemand Scan detections are not available through the CrowdStrike Detections and Incidents API .

I've raised an issue in the past with Crowdstrike over ODS events, and they linked to this article - https://supportportal.crowdstrike.com/s/article/I-am-not-seeing-detections-from-on-demand-scans-ODS-...

To ingest these OnDemand scans, you'll either need to ingest the Streaming API events directly through the API or use the CrowdStrike's SIEM connector.

The DetectionSummaryEvent subtype you want to target is 

  • DetectionSummaryEvent_ScanResults

You can also see ODS scan events come through with the EppDetectionSummary event that has the `type: ods`

Example:

 

{
  "metadata": {
    "customerIDString": "string",
    "offset": 261252,
    "eventType": "EppDetectionSummaryEvent",
    "eventCreationTime": 1721173055000,
    "version": "1.0"
  },
  "event": {
    "Hostname": "string",
    "Name": "OnDemandScanMLFileAnalysisHigh",
    "Severity": 70,
    "FileName": "string",
    "FilePath": "string",
    "SHA256String": "string",
    "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/strings",
    "AgentId": "string",
    "CompositeId": "string",
    "LocalIP": "string",
    "MACAddress": "string",
    "Tactic": "Machine Learning",
    "Technique": "Sensor-based ML",
    "Objective": "Falcon Detection Method",
    "HostGroups": "string",
    "SourceVendors": "CrowdStrike",
    "SourceProducts": "Falcon Insight",
    "DataDomains": "Endpoint",
    "Type": "ods",
    "LocalIPv6": ""
  }
}

 

I'm not sure you'll be able to create a custom action to poll since the Streaming API utilizes a long lived GET request that will continually stream messages until it timesout, e.g 30m by default.


Might need to ingest from the SIEM side using a custom service for Streaming API, or utilize the SIEM connector to forward to Bindplane or Chronicle Forwarder.

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
alube
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hi @ar3diu 

As far as I know, the OnDemand Scan detections are not available through the CrowdStrike Detections and Incidents API .

I've raised an issue in the past with Crowdstrike over ODS events, and they linked to this article - https://supportportal.crowdstrike.com/s/article/I-am-not-seeing-detections-from-on-demand-scans-ODS-...

To ingest these OnDemand scans, you'll either need to ingest the Streaming API events directly through the API or use the CrowdStrike's SIEM connector.

The DetectionSummaryEvent subtype you want to target is 

  • DetectionSummaryEvent_ScanResults

You can also see ODS scan events come through with the EppDetectionSummary event that has the `type: ods`

Example:

 

{
  "metadata": {
    "customerIDString": "string",
    "offset": 261252,
    "eventType": "EppDetectionSummaryEvent",
    "eventCreationTime": 1721173055000,
    "version": "1.0"
  },
  "event": {
    "Hostname": "string",
    "Name": "OnDemandScanMLFileAnalysisHigh",
    "Severity": 70,
    "FileName": "string",
    "FilePath": "string",
    "SHA256String": "string",
    "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/strings",
    "AgentId": "string",
    "CompositeId": "string",
    "LocalIP": "string",
    "MACAddress": "string",
    "Tactic": "Machine Learning",
    "Technique": "Sensor-based ML",
    "Objective": "Falcon Detection Method",
    "HostGroups": "string",
    "SourceVendors": "CrowdStrike",
    "SourceProducts": "Falcon Insight",
    "DataDomains": "Endpoint",
    "Type": "ods",
    "LocalIPv6": ""
  }
}

 

I'm not sure you'll be able to create a custom action to poll since the Streaming API utilizes a long lived GET request that will continually stream messages until it timesout, e.g 30m by default.


Might need to ingest from the SIEM side using a custom service for Streaming API, or utilize the SIEM connector to forward to Bindplane or Chronicle Forwarder.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ar3diu
Bronze 4
Bronze 4
In response to alube
Reply posted on --/--/---- --:-- AM

Thanks, @alube for this detailed response. It helped me better understand the problem I have. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
mccrilb
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

I have the same issue. I also opened a case with Crowdstrike. To get around it for now I created a workflow in Crowdstrike to send an email to our SOAR and I ingest the alert that way, I also used the same workflow to then close the Alert in the console. Otherwise you have to manually to close everything.

 

 

Jump to Solution

Posted on --/--/---- --:-- AM
ar3diu
Bronze 4
Bronze 4
In response to mccrilb
Reply posted on --/--/---- --:-- AM

Thanks, @mccrilb! I'll see if I can implement the ODS alert ingestion this way! Thanks for the tip!

 
Jump to Solution

Posted on --/--/---- --:-- AM
ar3diu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

@mccrilb @alube I ended up configuring the CrowdStrike Alert Connector with the following Dynamic List. 

ar3diu_0-1738922379922.png

 

Jump to Solution
Top Solution Authors
View all