GetQueriesAlertsV2 shows wrong count when compared to console

[Ni-ka-sH]

Hi All,

Im trying to use 'query_alerts_v2' to get the detections from new-detections page. and im also using filter to get the detections based on 'epp' product. But the count I get via API differs from what is shown in console.

Sometimes the count is higher and sometimes lower.

my api output is 9, but as per console the count is 19

and in some cases when I try to get all alerts within a given time range, offset is always 0 and im unable to paginate throught the total results using this query

can someone please help here.

Many thanks in Advance.

[crowdstrikedcs]

Hi @Ni-ka-sH thanks for the question!

It looks to me like this comes down to differences in the filtering when using the UI vs. the API. Let me show an example.

When I load up the new endpoint detection experience I see the below:

19,652 total results. This is without any filtering. One item of note however is that the UI hides hidden items and this cannot be changed.
I see the same 19,652 in my API call using the filter product:'epp' and include_hidden:'false' I see you have specified include_hiddent=True(this needs to be include_hidden for it to work but the API defaults this to true so it's not needed explicitly) to get a better count this could be as simple as setting include_hidden to False.

Another change to keep in mind is that the timestamp filters are not exactly the same in the UI so you may see slightly different results in the UI based on this.

As far as the pagination you need to specify an offset to get to the next page which works something like this.

1. Initial Call offset is 0 (default) and limit is 10000 this will get results 0-9999
2. Second call offset is now 10000 and limit is 10000 this returns items 10000-19999

From your query above you'll need to provide the offset paramater on the next page.

Let us know with any questions on this

[Ni-ka-sH]

Hi @crowdstrikedcs

Good Day.

Thankyou so much for the answer.
Using this include_hidden set to False, I'm able to get the count close to what is shown in console.

Do you have any suggestions to get the count using timestamp filters?

And as for the pagination, I tried the code and still getting the pagination error.

Kindly let me know if Im doing anything wrong here.

Thankyou again.

[crowdstrikedcs]

Hi @Ni-ka-sH checking with some others on the detail for this message. Will update once I hear more.

[Ni-ka-sH]

Thankyouu so much @crowdstrikedcs

[crowdstrikedcs]

HI @Ni-ka-sH

Few items on the pagination, this API returns a maximum of 10000 records. The Limit + Offset must always be less than 10k records.

To get around this limitation I reccomend using a filter to reduce the total count below 10000. Based on your environment there may be a few different options for this filter, timestamp is a good bet as you can use a rolling window.

For my usage I used a created_timestamp and the polling logic goes something like this

Make an initial call with no filter and limit 10000. Additionally sort the records using created_timestamp.asc which will return records sorted in ascending order by when they were last seen.
For each page of 10000 use the get_alerts_v2 operation to gather alert details.
For the last resource ID store it's created_timestamp.
Make a new call to query_alerts_v2 now using the stored filter
Repeat this process until your count matches the total.

As far as getting the count with the timestamp filters, I would reccomend using the value provided as the API as the total amount

[Ni-ka-sH]

Hi @crowdstrikedcs ,

Good Day.

Thankyou so much for the detailed explanation.

So, from what you have explained, I believe pagination doesnt work like before.
Ill try to change my logic as per the explanation.

Thanks again.
Have a happy day.