Hi @ar3diu 

As far as I know, the OnDemand Scan detections are not available through the CrowdStrike Detections and Incidents API .

I've raised an issue in the past with Crowdstrike over ODS events, and they linked to this article - https://supportportal.crowdstrike.com/s/article/I-am-not-seeing-detections-from-on-demand-scans-ODS-...

To ingest these OnDemand scans, you'll either need to ingest the Streaming API events directly through the API or use the CrowdStrike's SIEM connector.

The DetectionSummaryEvent subtype you want to target is 

• DetectionSummaryEvent_ScanResults

You can also see ODS scan events come through with the EppDetectionSummary event that has the `type: ods`

Example:

{
  "metadata": {
    "customerIDString": "string",
    "offset": 261252,
    "eventType": "EppDetectionSummaryEvent",
    "eventCreationTime": 1721173055000,
    "version": "1.0"
  },
  "event": {
    "Hostname": "string",
    "Name": "OnDemandScanMLFileAnalysisHigh",
    "Severity": 70,
    "FileName": "string",
    "FilePath": "string",
    "SHA256String": "string",
    "FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/strings",
    "AgentId": "string",
    "CompositeId": "string",
    "LocalIP": "string",
    "MACAddress": "string",
    "Tactic": "Machine Learning",
    "Technique": "Sensor-based ML",
    "Objective": "Falcon Detection Method",
    "HostGroups": "string",
    "SourceVendors": "CrowdStrike",
    "SourceProducts": "Falcon Insight",
    "DataDomains": "Endpoint",
    "Type": "ods",
    "LocalIPv6": ""
  }
}

I'm not sure you'll be able to create a custom action to poll since the Streaming API utilizes a long lived GET request that will continually stream messages until it timesout, e.g 30m by default.

Might need to ingest from the SIEM side using a custom service for Streaming API, or utilize the SIEM connector to forward to Bindplane or Chronicle Forwarder.