Analyze Detection Types Distribution

Visualize the frequency of different detection types

This is a query example for the Detection Types widget in the Detections dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result
logscale
| groupby(event.DetectName)

Introduction

This widget is used to visualize the distribution of different detection types in your security events, helping identify the most common types of security detections in your environment. When configured as a pie chart visualization, it provides an intuitive view of the relative proportions of different detection types.

In this widget, the groupBy() function is used to aggregate and count detection events by their detection name, providing insights into the prevalence of different types of security detections.

The widget processes CrowdStrike detection summary events that contain information about various security incidents, including PowerShell commands, registry modifications, credential dumping attempts, and other suspicious activities.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_300_17682133652026-01-12T10:22:45{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-WEB01Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.2.143Command and Controlb2c3d4e5f6g7h8i9j0k1MediumExecutionT1059.001 - PowerShelladamsba1b2c3d4e5f6g7h8i9j01768213365060DetectionSummaryEvent
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_301_17682133652026-01-12T10:22:46{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-APP02Detected potential credential dumping from LSASS memorySuspicious Registry Modification192.168.0.87Credential Theftd4e5f6g7h8i9j0k1l2m3LowCredential AccessT1003.001 - LSASS Memoryandersonkc3d4e5f6g7h8i9j0k1l21768213365928DetectionSummaryEvent
2026-01-12T10:22:46auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_302_17682133662026-01-12T10:22:47{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-DB01Detected suspicious access to administrative sharesCredential Dumping via Mimikatz192.168.3.211Internal Reconnaissancef6g7h8i9j0k1l2m3n4o5HighLateral MovementT1021.002 - SMB/Windows Admin Sharesbakerme5f6g7h8i9j0k1l2m3n41768213366748DetectionSummaryEvent
2026-01-12T10:22:47auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_303_17682133672026-01-12T10:22:48{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-FILE01Detected authentication using potentially compromised domain accountSuspicious Service Creation192.168.1.54Privilege Escalationh8i9j0k1l2m3n4o5p6q7CriticalDefense EvasionT1078.002 - Domain Accountsblackjg7h8i9j0k1l2m3n4o5p61768213367566DetectionSummaryEvent
2026-01-12T10:22:48auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_304_17682133682026-01-12T10:22:49{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-SQL01Detected suspicious scheduled task creation for persistenceLateral Movement via WMI192.168.4.198Persistence Establishmentj0k1l2m3n4o5p6q7r8s9MediumPersistenceT1053.005 - Scheduled Taskbrownri9j0k1l2m3n4o5p6q7r81768213368386DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1{{Aggregate}} result{{Result Set}} repo --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | groupby(event.DetectName)

    Groups the events by the event.DetectName field and automatically counts occurrences of each detection type. The function creates a field named _count containing the number of events for each unique detection name.

  3. Event Result set.

Summary and Results

The widget is used to provide a clear visualization of the distribution of different types of security detections in your environment.

This widget is useful to identify the most common types of security detections, track patterns in attack techniques and methods, prioritize security response based on detection frequency, and monitor changes in threat patterns over time.

Sample output from the incoming example data:

_countevent.DetectName
21Suspicious PowerShell Command Line
8Suspicious Process Injection
20Suspicious Registry Modification
7Suspicious Scheduled Task Creation
8Suspicious Service Creation

The _count field shows the frequency of each detection type and the results are automatically sorted by the detection name. When visualized as a pie chart, the segments will represent the relative proportion of each detection type.

Detection Types