List all Identity Protection Detections

# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: List all Identity Protection Detections

# Description of what the query does and its purpose.
description: List of all IDP detections.

# The author or team that created the query.
author: CrowdStrike

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Monitoring

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #repo=detections ExternalApiType=Event_IdpDetectionSummaryEvent
  | rename([[TargetEndpointHostName, TargetEndpoint], [SourceEndpointHostName, SourceEndpoint], [TargetAccountName, TargetAccount], [SourceAccountName, SourceAccount]])
  | format("[FalconHostLink](%s)", field=[FalconHostLink], as="FalconHostLink")
  | format(format="%s > %s", field=[Tactic, Technique], as=MITRE)
  | groupBy([TargetAccount], function=([sum(Severity, as=Weight), count(DetectName, distinct=true, as=UniqueDetections), count(DetectName, as=TotalDetections), collect([MITRE, SourceEndpoint]), selectFromMax(field="@timestamp", include=[FalconHostLink])]))
  | rename(field="FalconHostLink", as="Most Recent Detection")
  | sort(Weight, order=desc, limit=200)