Azure · v-atulyadav · Jun 25, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 24, 2025
@@ -7,7 +7,7 @@
     "properties": {
         "connectorUiConfig": {
             "id": "CiscoSecureEndpointLogsCCPDefinition",
-            "title": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+            "title": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
             "publisher": "Microsoft",
             "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.",
             "graphQueries": [

@@ -63,23 +63,6 @@
               "text": "This Solution installs the data connector for Cisco Secure Endpoint. You can get Cisco Secure Endpoint data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
             }
           },
-          {
-            "name": "dataconnectors-link1",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          },
-          {
-            "name": "dataconnectors2-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Cisco Secure Endpoint. You can get Cisco Secure Endpoint custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
           {
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",

@@ -1298,7 +1298,7 @@
       ],
       "properties": {
         "contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
-        "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+        "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
         "contentKind": "DataConnector",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -1315,7 +1315,7 @@
               "properties": {
                 "connectorUiConfig": {
                   "id": "CiscoSecureEndpointLogsCCPDefinition",
-                  "title": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+                  "title": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
                   "publisher": "Microsoft",
                   "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.",
                   "graphQueries": [
@@ -2597,7 +2597,7 @@
       "properties": {
         "connectorUiConfig": {
           "id": "CiscoSecureEndpointLogsCCPDefinition",
-          "title": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+          "title": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
           "publisher": "Microsoft",
           "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://developer.cisco.com/docs/secure-endpoint/auditlog/) and [events](https://developer.cisco.com/docs/secure-endpoint/v1-api-reference-event/) into Microsoft Sentinel.",
           "graphQueries": [
@@ -2807,7 +2807,7 @@
       ],
       "properties": {
         "contentId": "[variables('_dataConnectorContentIdConnections1')]",
-        "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+        "displayName": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
         "contentKind": "ResourcesDataConnector",
         "mainTemplate": {
           "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -2822,7 +2822,7 @@
               "type": "securestring"
             },
             "connectorDefinitionName": {
-              "defaultValue": "Cisco Secure Endpoint (via Codeless Connector Framework)",
+              "defaultValue": "Cisco Secure Endpoint (via Codeless Connector Framework) (Preview)",
               "type": "securestring",
               "minLength": 1
             },
@@ -3231,19 +3231,15 @@
           "title": "[DEPRECATED] Cisco Secure Endpoint (AMP) (using Azure Functions)",
           "publisher": "Cisco",
           "descriptionMarkdown": "The Cisco Secure Endpoint (formerly AMP for Endpoints) data connector provides the capability to ingest Cisco Secure Endpoint [audit logs](https://api-docs.amp.cisco.com/api_resources/AuditLog?api_host=api.amp.cisco.com&api_version=v1) and [events](https://api-docs.amp.cisco.com/api_actions/details?api_action=GET+%2Fv1%2Fevents&api_host=api.amp.cisco.com&api_resource=Event&api_version=v1) into Microsoft Sentinel.\n\n<p><span style='color:red; font-weight:bold;'>NOTE</span>: This data connector has been deprecated, consider moving to the CCF data connector available in the solution which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p>",
-          "graphQueries": [
-            {
-              "metricName": "Cisco Secure Endpoint logs",
-              "legend": "CiscoSecureEndpoint_CL",
-              "baseQuery": "CiscoSecureEndpoint_CL"
-            }
-          ],
-          "dataTypes": [
-            {
-              "name": "CiscoSecureEndpoint_CL",
-              "lastDataReceivedQuery": "CiscoSecureEndpoint_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
-            }
-          ],
+          "graphQueries": {
+            "metricName": "Cisco Secure Endpoint logs",
+            "legend": "CiscoSecureEndpoint_CL",
+            "baseQuery": "CiscoSecureEndpoint_CL"
+          },
+          "dataTypes": {
+            "name": "CiscoSecureEndpoint_CL",
+            "lastDataReceivedQuery": "CiscoSecureEndpoint_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+          },
           "connectivityCriterias": [
             {
               "type": "IsConnectedQuery",
@@ -3252,12 +3248,10 @@
               ]
             }
           ],
-          "sampleQueries": [
-            {
-              "description": "All Cisco Secure Endpoint logs",
-              "query": "CiscoSecureEndpoint_CL\n| sort by TimeGenerated desc"
-            }
-          ],
+          "sampleQueries": {
+            "description": "All Cisco Secure Endpoint logs",
+            "query": "CiscoSecureEndpoint_CL\n| sort by TimeGenerated desc"
+          },
           "availability": {
             "status": 1,
             "isPreview": false

@@ -1,4 +1,4 @@
 | **Version** | **Date Modified (DD-MM-YYYY)**| **ChangeHistory**                             |
 |-------------|-------------------------------|-----------------------------------------------|
-| 3.0.1       | 23-06-2025                    | Adding a new **CCF Data Connector** - *Cisco Secure Endpoint*  and updates the **Parser** to handle the newly introduced table.  	   |
+| 3.0.1       | 23-06-2025                    | Adding a new **CCF Data Connector** - *Cisco Secure Endpoint*  and updated the **Parser** to handle the newly introduced table.  	   |
 | 3.0.0       | 28-08-2024                    | Updated the python runtime version to 3.11.    |
@@ -1,6 +1,6 @@
 {
 	"id": "CrowdstrikeReplicatorv2",
-	"title": "[DEPRECATED] Crowdstrike Falcon Data Replicator V2",
+	"title": "Crowdstrike Falcon Data Replicator V2",
 	"publisher": "Crowdstrike",
 	"descriptionMarkdown": "The [Crowdstrike](https://www.crowdstrike.com/) Falcon Data Replicator connector provides the capability to ingest raw event data from the [Falcon Platform](https://www.crowdstrike.com/blog/tech-center/intro-to-falcon-data-replicator/) events into Microsoft Sentinel. The connector provides ability to get events from Falcon Agents which helps to examine potential security risks, analyze your team's use of collaboration, diagnose configuration problems and more.<p><span style='color:red; font-weight:bold;'>NOTE:</span> This data connector has been deprecated, consider moving to the CCP data connector available in the solution which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>.</p>",
 	"additionalRequirementBanner": "These queries and workbooks are dependent on a parser based on Kusto to work as expected. Follow the steps to use this Kusto functions alias **CrowdstrikeReplicator** in queries and workbooks [Follow steps to get this Kusto functions>](https://aka.ms/sentinel-crowdstrikereplicator-parser).",

@@ -2,7 +2,9 @@
   "Name": "CrowdStrike Falcon Endpoint Protection",
   "Author": "Microsoft - support@microsoft.com",
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">",
-  "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n<p><span style='color:red; font-weight:bold;'>NOTE:</span>For ingestion of CEF-formatted logs from CrowdStrike, Microsoft recommends installing the CEF via AMA Connector.</p> <p><span style='color:red; font-weight:bold;'>NOTE:</span> Microsoft recommends installation of CrowdStrike Falcon Data Replicator (S3 Polling via Codeless Connector Platform). This connector is build on the Codeless Connector Platform (CCP), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCP-based data connectors also support <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p> <p><span style='color:red; font-weight:bold;'>Important:</span> While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the legacy versions of these connectors to avoid duplication of data.</p>",
+  "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\n<p><span style='color:red; font-weight:bold;'>NOTE:</span> Microsoft recommends using Codeless Connector Framework based connector wherever possible. These connectors use the Log Ingestion API, which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCF-based data connectors also support <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment. If required, for ingestion of CEF-formatted logs from CrowdStrike, configure the CEF via AMA Connector available as a part of the CEF solution which will be installed as part of this solution installation.</p> <p><span style='color:red; font-weight:bold;'>Important:</span> While multiple connectors available as a part of this solution can run in parallel, running them together may result in duplicated data ingestion. Carefully review the capabilities of each connector and select the most relevant connector based on specific organizational requirements.</p>",
+
+
   "Data Connectors": [
     "Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json",
     "Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json",

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.\n\n<p><span style='color:red; font-weight:bold;'>NOTE:</span>For ingestion of CEF-formatted logs from CrowdStrike, Microsoft recommends installing the CEF via AMA Connector.</p> <p><span style='color:red; font-weight:bold;'>NOTE:</span> Microsoft recommends installation of CrowdStrike Falcon Data Replicator (S3 Polling via Codeless Connector Platform). This connector is build on the Codeless Connector Platform (CCP), which uses the Log Ingestion API, which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCP-based data connectors also support <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment.</p> <p><span style='color:red; font-weight:bold;'>Important:</span> While the updated connector(s) can coexist with their legacy versions, running them together will result in duplicated data ingestion. You can disable the legacy versions of these connectors to avoid duplication of data.</p>\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\n<p><span style='color:red; font-weight:bold;'>NOTE:</span> Microsoft recommends using Codeless Connector Framework based connector wherever possible. These connectors use the Log Ingestion API, which replaces ingestion via the <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate' style='color:#1890F1;'>deprecated HTTP Data Collector API</a>. CCF-based data connectors also support <a href='https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview' style='color:#1890F1;'>Data Collection Rules</a> (DCRs) offering transformations and enrichment. If required, for ingestion of CEF-formatted logs from CrowdStrike, configure the CEF via AMA Connector available as a part of the CEF solution which will be installed as part of this solution installation.</p> <p><span style='color:red; font-weight:bold;'>Important:</span> While multiple connectors available as a part of this solution can run in parallel, running them together may result in duplicated data ingestion. Carefully review the capabilities of each connector and select the most relevant connector based on specific organizational requirements.</p>\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",