Inconsistency between Detects Advisor API and New "Endpoint detections" Web Page

[Skyw3lker]

I'm writing to report a discrepancy between the Detects Advisor API and the recently updated web interface for viewing detections.

Issue:

The web interface now offers two options for viewing detections:

• Endpoint detections (Updated)
• Endpoint detections (Deprecated)

However, the Detects Advisor API continues to return results associated with the "Deprecated" page. This inconsistency creates confusion and makes it difficult to access the data displayed in the new "Updated" web interface view via FalconPy.

Desired Behavior:

It would be ideal if the Detects Advisor API could be updated to provide results that are compatible with the new "Endpoint detections (Updated)" format on the web interface, when using it with the -d option to dump results in json file. This would ensure seamless integration and a consistent user experience.

https://falconpy.io/Service-Collections/Detects.html
https://github.com/CrowdStrike/falconpy/blob/main/samples/detects/README.md#dumping-results-to-a-file

Possible Solutions:

API Update: Modify the Detects Advisor API to return data in the format expected by the new "Endpoint detections (Updated)" web interface.
Documentation Update: If the API cannot be updated immediately, consider revising the documentation to clearly explain the difference between the API results and the updated web interface view. This will help users understand the potential discrepancies and guide them towards the correct approach for accessing the desired data.

Update:
Sorry for the confusion, but I think "Endpoint detections",
can be retrived via falcon.get_aggregate_alerts_v2
https://falconpy.io/Service-Collections/Alerts.html#postaggregatesalertsv2

but still I've tried the provided code sample but I'm getting error code 500
response = falcon.GetQueriesAlertsV2(offset=integer,
limit=integer,
include_hidden=boolean,
sort="string",
filter="string",
q="string"
)
print(response)

So, Simply How to retrieve all the detection fron Endpoint detections (Updated) Page to a json file via python3 code ?!

[tsullivan06]

@Skyw3lker - This was covered in some degree back in a release note published on Sept 19, 2023.
The "Endpoint detections (Updated)" should probably have been tagged with (New) vs (Updated) since it's powered by a new detection architecture that was designed for the Raptor platform. The new Endpoint Detections dashboard is powered by the Alerts API endpoints. Keep in mind that this API has several different detection types, so if you want endpoint detections you need to use a filter of product:'epp'. The presentation, architecture and the data between the two is considerably different so you'll want to review it. A very simple and basic explanation of the UI can be found in this document.
One of the biggest changes is that the automatic consolidation was removed so the behaviors that would have been grouped by the process tree by default are now stand alone detections. This allows for custom correlation/grouping as well as a more granular detection methodology. eg If you had a behavior in the old detection that was a FP you couldn't just mark it that way, you had to mark the whole thing as a FP. In the new architecture you can.
If you're interested in associating the endpoint events in the alerts API you should be able to do it by grouping them based on the aggregate_id field value.

[Skyw3lker]

To clarify further, according to
https://www.falconpy.io/Service-Collections/Alerts.html#postaggregatesalertsv2

to Retrieve aggregates for alerts across all CIDs for the past hour as per Endpoint detections (Updated) web page, . what is wrong with the following code:
from falconpy import Alerts
falcon = Alerts(client_id="XXXX", client_secret="YYYY")

response = falcon.get_aggregate_alerts_v2(interval="hour") OR
response = falcon.PostAggregatesAlertsV2(interval="hour")

print(response)

I think it is on the third line, something to do with the body format.

I've also tried
body = {
"filter":"product:'epp'",
"interval": "day"
}
response = falcon.PostAggregatesAlertsV2(body=body)