Display Detection Events And Associated Data in Table Format

Create a comprehensive detection events overview

This is a query example for the Detections widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result

logscale

metadata.eventType = DetectionSummaryEvent
| event.ComputerName=* AND metadata.customerIDString = *
| SensorId := event.SensorId
| ComputerName:=event.ComputerName
| User:=event.UserName
| DetectName:=event.DetectName
| Severity:=event.SeverityName
| LocalIP:=event.LocalIP
| Tactic:=event.Tactic
| Technique:= event.Technique
| Description:= event.DetectDescription
| Objective:=event.Objective
| table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])

Introduction

This widget is used to display security detection events from Falcon LogScale in a structured table format, providing key information such as timestamp, computer details, user information, and detection specifics for security analysis and incident response.

In this widget, the table() function is used to organize detection event data into a structured format with specific columns for analysis and investigation.

Example incoming data might look like this:

@timestamp	#repo	#type	@id	@ingesttimestamp	@rawstring	@timezone	event.ComputerName	event.DetectDescription	event.DetectName	event.LocalIP	event.Objective	event.SensorId	event.SeverityName	event.Tactic	event.Technique	event.UserName	metadata.customerIDString	metadata.eventCreationTime	metadata.eventType
2026-01-12T10:22:45	auto-dashboard-queries	siem-connector	QTsJCoPniAANCCdKBxWdooCq_3_300_1768213365	2026-01-12T10:22:45	{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}}	Z	PROD-WEB01	Detected suspicious PowerShell command execution with encoded arguments	Suspicious PowerShell Command Line	192.168.2.143	Command and Control	b2c3d4e5f6g7h8i9j0k1	Medium	Execution	T1059.001 - PowerShell	adamsb	a1b2c3d4e5f6g7h8i9j0	1768213365060	DetectionSummaryEvent
2026-01-12T10:22:45	auto-dashboard-queries	siem-connector	QTsJCoPniAANCCdKBxWdooCq_3_301_1768213365	2026-01-12T10:22:46	{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}}	Z	PROD-APP02	Detected potential credential dumping from LSASS memory	Suspicious Registry Modification	192.168.0.87	Credential Theft	d4e5f6g7h8i9j0k1l2m3	Low	Credential Access	T1003.001 - LSASS Memory	andersonk	c3d4e5f6g7h8i9j0k1l2	1768213365928	DetectionSummaryEvent
2026-01-12T10:22:46	auto-dashboard-queries	siem-connector	QTsJCoPniAANCCdKBxWdooCq_3_302_1768213366	2026-01-12T10:22:47	{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}}	Z	PROD-DB01	Detected suspicious access to administrative shares	Credential Dumping via Mimikatz	192.168.3.211	Internal Reconnaissance	f6g7h8i9j0k1l2m3n4o5	High	Lateral Movement	T1021.002 - SMB/Windows Admin Shares	bakerm	e5f6g7h8i9j0k1l2m3n4	1768213366748	DetectionSummaryEvent
2026-01-12T10:22:47	auto-dashboard-queries	siem-connector	QTsJCoPniAANCCdKBxWdooCq_3_303_1768213367	2026-01-12T10:22:48	{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}}	Z	PROD-FILE01	Detected authentication using potentially compromised domain account	Suspicious Service Creation	192.168.1.54	Privilege Escalation	h8i9j0k1l2m3n4o5p6q7	Critical	Defense Evasion	T1078.002 - Domain Accounts	blackj	g7h8i9j0k1l2m3n4o5p6	1768213367566	DetectionSummaryEvent
2026-01-12T10:22:48	auto-dashboard-queries	siem-connector	QTsJCoPniAANCCdKBxWdooCq_3_304_1768213368	2026-01-12T10:22:49	{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}}	Z	PROD-SQL01	Detected suspicious scheduled task creation for persistence	Lateral Movement via WMI	192.168.4.198	Persistence Establishment	j0k1l2m3n4o5p6q7r8s9	Medium	Persistence	T1053.005 - Scheduled Task	brownr	i9j0k1l2m3n4o5p6q7r8	1768213368386	DetectionSummaryEvent

Step-by-Step

Starting with the source repository events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
metadata.eventType = DetectionSummaryEvent
```
Filters for events where metadata.eventType equals DetectionSummaryEvent.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| event.ComputerName=* AND metadata.customerIDString = *
```
Further filters to include only events that have both an event.ComputerName field and a metadata.customerIDString field.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| SensorId := event.SensorId
```
Creates a new field named SensorId from event.SensorId.
This simplifies the field name for better readability and preserves the unique sensor identifier information.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 4 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| ComputerName:=event.ComputerName
```
Creates a new field named ComputerName from event.ComputerName.
This maintains system identification information and simplifies the field name structure.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 5 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| User:=event.UserName
```
Creates a new field named User from event.UserName.
This tracks the user associated with the detection event and provides user context for security analysis.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 6 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| DetectName:=event.DetectName
```
Creates a new field named DetectName from event.DetectName.
This identifies the type of detection that occurred and provides quick reference to the detection category.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 7 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| Severity:=event.SeverityName
```
Creates a new field named Severity from event.SeverityName.
This indicates the severity level of the detection and enables prioritization of security events.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 8 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| LocalIP:=event.LocalIP
```
Creates a new field named LocalIP from event.LocalIP.
This records the IP address of the affected system and provides network context for the security event.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 9 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| Tactic:=event.Tactic
```
Creates a new field named Tactic from event.Tactic.
This identifies the MITRE ATT&CK tactic associated with the detection and provides context for the attacker's methodology.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 10 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| Technique:= event.Technique
```
Creates a new field named Technique from event.Technique.
This specifies the MITRE ATT&CK technique identified and details the specific method used in the attack.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 11 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| Description:= event.DetectDescription
```
Creates a new field named Description from event.DetectDescription.
This provides detailed information about the detection event and offers context for investigation and analysis.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 12 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| Objective:=event.Objective
```
Creates a new field named Objective from event.Objective.
This identifies the suspected goal of the detected activity and helps understand the potential impact of the threat.
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3[\Add Field/] 4[\Add Field/] 5[\Add Field/] 6[\Add Field/] 7[\Add Field/] 8[\Add Field/] 9[\Add Field/] 10[\Add Field/] 11[\Add Field/] 12[\Add Field/] 13{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> 4 4 --> 5 5 --> 6 6 --> 7 7 --> 8 8 --> 9 9 --> 10 10 --> 11 11 --> 12 12 --> 13 13 --> result style 13 fill:#ff0000,stroke-width:4px,stroke:#000;
logscale
```
| table([@timestamp,SensorId,ComputerName,User,DetectName,Severity,LocalIP,Tactic,Technique,Objective,Description])
```
The table() function creates an organized view of the detection events with specific columns.
- Displays timestamp first for chronological reference.
- Groups system identifiers (SensorId, ComputerName) for context.
- Shows user information for attribution.
- Presents detection details and severity for quick assessment.
- Includes attack details (Tactic, Technique, Objective) for threat analysis.
- Ends with full description for comprehensive understanding.
Event Result set.

Summary and Results

The widget is used to create a comprehensive view of security detection events, enabling efficient analysis and investigation of potential threats.

This widget is useful to monitor security incidents in real-time, investigate potential compromises, and track attack patterns across the environment.

Sample output from the incoming example data:

@timestamp	ComputerName	Description	DetectName	LocalIP	Objective	SensorId	Severity	Tactic	Technique	User
2026-01-12T10:22:45	PROD-WEB01	Detected suspicious PowerShell command execution with encoded arguments	Suspicious PowerShell Command Line	192.168.2.143	Command and Control	b2c3d4e5f6g7h8i9j0k1	Medium	Execution	T1059.001 - PowerShell	adamsb
2026-01-12T10:22:45	PROD-APP02	Detected potential credential dumping from LSASS memory	Suspicious Registry Modification	192.168.0.87	Credential Theft	d4e5f6g7h8i9j0k1l2m3	Low	Credential Access	T1003.001 - LSASS Memory	andersonk
2026-01-12T10:22:46	PROD-DB01	Detected suspicious access to administrative shares	Credential Dumping via Mimikatz	192.168.3.211	Internal Reconnaissance	f6g7h8i9j0k1l2m3n4o5	High	Lateral Movement	T1021.002 - SMB/Windows Admin Shares	bakerm
2026-01-12T10:22:47	PROD-FILE01	Detected authentication using potentially compromised domain account	Suspicious Service Creation	192.168.1.54	Privilege Escalation	h8i9j0k1l2m3n4o5p6q7	Critical	Defense Evasion	T1078.002 - Domain Accounts	blackj
2026-01-12T10:22:48	PROD-SQL01	Detected suspicious scheduled task creation for persistence	Lateral Movement via WMI	192.168.4.198	Persistence Establishment	j0k1l2m3n4o5p6q7r8s9	Medium	Persistence	T1053.005 - Scheduled Task	brownr

Note that the output presents events with severity levels ranging from Low to Critical, enabling quick identification of high-priority security incidents.

Also note that each event includes MITRE ATT&CK framework references (Tactic, Technique) to aid in threat analysis and response.

Versions of this Page

Examples Library