When using the ATP REST API, and Splunk Integration, you do not see the same information as is shown on Events in the ATP Event search.
This issue is resolved in SEDR 4.0. Event data pulled through the API will show MITRE attack data in the fields "event_actor.signature_level_id", "attacks", "attacks.tactic_ids", "attacks.technique_uid", and "attacks.technique_name".
Subscribing will provide email updates when this Article is updated. Login is required.