![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\"){kind=logo}
\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) olution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities. \n\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.\n\n**Data Connectors:** 4, **Parsers:** 3, **Workbooks:** 1, **Analytic Rules:** 2, **Playbooks:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -63,6 +63,37 @@
"text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
+ {
+ "name": "dataconnectors2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for CrowdStrike Falcon Endpoint Protection. You can get CrowdStrike Falcon Endpoint Protection custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework). You can get CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link3",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
+ },
+ {
+ "name": "dataconnectors4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for CrowdStrike API Data Connector (via Codeless Connector Framework). You can get CrowdStrike API Data Connector (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
{
"name": "dataconnectors-link4",
"type": "Microsoft.Common.TextBlock",
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
index cd1c07bbd94..25a8c7e81c6 100644
--- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
+++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
@@ -55,7 +55,7 @@
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "CrowdStrike Falcon Endpoint Protection",
- "_solutionVersion": "3.1.5",
+ "_solutionVersion": "3.1.6",
"solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep",
"_solutionId": "[variables('solutionId')]",
"uiConfigId1": "CrowdstrikeReplicatorv2",
@@ -168,7 +168,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.1.5",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -552,7 +552,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.1.5",
+ "description": "CrowdStrike Falcon Endpoint Protection data connector with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion2')]",
@@ -8567,7 +8567,7 @@
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition4')]",
- "displayName": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
+ "displayName": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -8584,7 +8584,7 @@
"properties": {
"connectorUiConfig": {
"id": "CrowdStrikeAPICCPDefinition",
- "title": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
+ "title": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [CrowdStrike Data Connector](https://www.crowdstrike.com/) allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Platform and uses the CrowdStrike API to fetch logs for Alerts, Detections, Hosts, Incidents, and Vulnerabilities. It supports DCR-based ingestion time transformations so that queries can run more efficiently.",
"graphQueriesTableName": "CrowdStrikeVulnerabilities",
@@ -8661,13 +8661,12 @@
],
"connectivityCriteria": [
{
- "type": "HasDataConnectors",
- "value": null
+ "type": "HasDataConnectors"
}
],
"availability": {
- "status": 1,
- "isPreview": false
+ "isPreview": true,
+ "status": 1
},
"permissions": {
"resourceProvider": [
@@ -8677,16 +8676,17 @@
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
- "read": true,
"write": true,
- "delete": true,
- "action": false
+ "read": true,
+ "delete": true
}
}
]
},
"instructionSteps": [
{
+ "title": "Configuration steps for the CrowdStrike API",
+ "description": "Follow the instructions below to obtain your CrowdStrike API credentials.",
"instructions": [
{
"type": "Markdown",
@@ -8707,22 +8707,22 @@
}
},
{
+ "type": "Textbox",
"parameters": {
"label": "Base API URL",
"placeholder": "https://api.us-2.crowdstrike.com",
"type": "text",
"name": "apiUrl"
- },
- "type": "Textbox"
+ }
},
{
+ "type": "Textbox",
"parameters": {
"label": "Client ID",
"placeholder": "Your Client ID",
"type": "text",
"name": "clientId"
- },
- "type": "Textbox"
+ }
},
{
"type": "Textbox",
@@ -8734,11 +8734,12 @@
}
},
{
+ "type": "ConnectionToggleButton",
"parameters": {
- "label": "toggle",
+ "connectLabel": "Connect",
+ "disconnectLabel": "Disconnect",
"name": "toggle"
- },
- "type": "ConnectionToggleButton"
+ }
}
]
}
@@ -8758,840 +8759,38 @@
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
- "name": "[variables('_solutionName')]",
- "kind": "Solution"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- },
- "dependencies": {
- "criteria": [
- {
- "version": "[variables('dataConnectorCCPVersion')]",
- "contentId": "[variables('_dataConnectorContentIdConnections4')]",
- "kind": "ResourcesDataConnector"
- }
- ]
- }
- }
- },
- {
- "name": "CrowdStrikeDCR",
- "apiVersion": "2022-06-01",
- "type": "Microsoft.Insights/dataCollectionRules",
- "location": "[parameters('workspace-location')]",
- "kind": "[variables('blanks')]",
- "properties": {
- "dataCollectionEndpointId": "[variables('dataCollectionEndpointId4')]",
- "streamDeclarations": {
- "Custom-Crowdstrike-VULNERABILITIES": {
- "columns": [
- {
- "name": "id",
- "type": "string"
- },
- {
- "name": "cid",
- "type": "string"
- },
- {
- "name": "aid",
- "type": "string"
- },
- {
- "name": "vulnerability_id",
- "type": "string"
- },
- {
- "name": "status",
- "type": "string"
- },
- {
- "name": "created_timestamp",
- "type": "datetime"
- },
- {
- "name": "updated_timestamp",
- "type": "datetime"
- },
- {
- "name": "data_providers",
- "type": "dynamic"
- },
- {
- "name": "apps",
- "type": "dynamic"
- },
- {
- "name": "suppression_info",
- "type": "dynamic"
- },
- {
- "name": "confidence",
- "type": "string"
- },
- {
- "name": "app",
- "type": "dynamic"
- },
- {
- "name": "cve",
- "type": "dynamic"
- },
- {
- "name": "host_info",
- "type": "dynamic"
- },
- {
- "name": "remediation",
- "type": "dynamic"
- }
- ]
- },
- "Custom-Crowdstrike-ALERTS": {
- "columns": [
- {
- "name": "id",
- "type": "string"
- },
- {
- "name": "agent_id",
- "type": "string"
- },
- {
- "name": "aggregate_id",
- "type": "string"
- },
- {
- "name": "assigned_to_name",
- "type": "string"
- },
- {
- "name": "assigned_to_uid",
- "type": "string"
- },
- {
- "name": "assigned_to_uuid",
- "type": "string"
- },
- {
- "name": "cid",
- "type": "string"
- },
- {
- "name": "composite_id",
- "type": "string"
- },
- {
- "name": "confidence",
- "type": "int"
- },
- {
- "name": "crawled_timestamp",
- "type": "datetime"
- },
- {
- "name": "created_timestamp",
- "type": "datetime"
- },
- {
- "name": "data_domains",
- "type": "dynamic"
- },
- {
- "name": "description",
- "type": "string"
- },
- {
- "name": "display_name",
- "type": "string"
- },
- {
- "name": "email_sent",
- "type": "boolean"
- },
- {
- "name": "external",
- "type": "boolean"
- },
- {
- "name": "name",
- "type": "string"
- },
- {
- "name": "objective",
- "type": "string"
- },
- {
- "name": "pattern_id",
- "type": "int"
- },
- {
- "name": "platform",
- "type": "string"
- },
- {
- "name": "product",
- "type": "string"
- },
- {
- "name": "scenario",
- "type": "string"
- },
- {
- "name": "seconds_to_resolved",
- "type": "int"
- },
- {
- "name": "seconds_to_triaged",
- "type": "int"
- },
- {
- "name": "severity",
- "type": "int"
- },
- {
- "name": "severity_name",
- "type": "string"
- },
- {
- "name": "show_in_ui",
- "type": "boolean"
- },
- {
- "name": "source_products",
- "type": "dynamic"
- },
- {
- "name": "source_vendors",
- "type": "dynamic"
- },
- {
- "name": "status",
- "type": "string"
- },
- {
- "name": "tactic",
- "type": "string"
- },
- {
- "name": "tactic_id",
- "type": "string"
- },
- {
- "name": "tags",
- "type": "dynamic"
- },
- {
- "name": "technique",
- "type": "string"
- },
- {
- "name": "technique_id",
- "type": "string"
- },
- {
- "name": "timestamp",
- "type": "datetime"
- },
- {
- "name": "type",
- "type": "string"
- },
- {
- "name": "updated_timestamp",
- "type": "datetime"
- }
- ]
- },
- "Custom-Crowdstrike-INCIDENTS": {
- "columns": [
- {
- "name": "assigned_to",
- "type": "string"
- },
- {
- "name": "assigned_to_name",
- "type": "string"
- },
- {
- "name": "cid",
- "type": "string"
- },
- {
- "name": "created",
- "type": "datetime"
- },
- {
- "name": "description",
- "type": "string"
- },
- {
- "name": "email_state",
- "type": "string"
- },
- {
- "name": "end",
- "type": "datetime"
- },
- {
- "name": "events_histogram",
- "type": "dynamic"
- },
- {
- "name": "fine_score",
- "type": "int"
- },
- {
- "name": "grouping_ids",
- "type": "dynamic"
- },
- {
- "name": "host_ids",
- "type": "dynamic"
- },
- {
- "name": "hosts",
- "type": "dynamic"
- },
- {
- "name": "incident_id",
- "type": "string"
- },
- {
- "name": "incident_type",
- "type": "int"
- },
- {
- "name": "lm_host_ids",
- "type": "dynamic"
- },
- {
- "name": "lm_hosts_capped",
- "type": "boolean"
- },
- {
- "name": "lm_types",
- "type": "int"
- },
- {
- "name": "lmra_host_ids",
- "type": "dynamic"
- },
- {
- "name": "lmra_hosts_capped",
- "type": "boolean"
- },
- {
- "name": "modified_timestamp",
- "type": "datetime"
- },
- {
- "name": "name",
- "type": "string"
- },
- {
- "name": "objectives",
- "type": "dynamic"
- },
- {
- "name": "start",
- "type": "datetime"
- },
- {
- "name": "state",
- "type": "string"
- },
- {
- "name": "status",
- "type": "int"
- },
- {
- "name": "tactics",
- "type": "dynamic"
- },
- {
- "name": "tags",
- "type": "dynamic"
- },
- {
- "name": "techniques",
- "type": "dynamic"
- },
- {
- "name": "users",
- "type": "dynamic"
- }
- ]
- },
- "Custom-Crowdstrike-DETECTIONS": {
- "columns": [
- {
- "name": "adversary_ids",
- "type": "dynamic"
- },
- {
- "name": "assigned_to_name",
- "type": "string"
- },
- {
- "name": "assigned_to_uid",
- "type": "string"
- },
- {
- "name": "behaviors",
- "type": "dynamic"
- },
- {
- "name": "behaviors_processed",
- "type": "dynamic"
- },
- {
- "name": "cid",
- "type": "string"
- },
- {
- "name": "created_timestamp",
- "type": "datetime"
- },
- {
- "name": "date_updated",
- "type": "string"
- },
- {
- "name": "detection_id",
- "type": "string"
- },
- {
- "name": "device",
- "type": "dynamic"
- },
- {
- "name": "email_sent",
- "type": "boolean"
- },
- {
- "name": "first_behavior",
- "type": "datetime"
- },
- {
- "name": "host_info",
- "type": "dynamic"
- },
- {
- "name": "last_behavior",
- "type": "datetime"
- },
- {
- "name": "max_confidence",
- "type": "int"
- },
- {
- "name": "max_severity",
- "type": "int"
- },
- {
- "name": "max_severity_displayname",
- "type": "string"
- },
- {
- "name": "overwatch_notes",
- "type": "string"
- },
- {
- "name": "quarantined_files",
- "type": "dynamic"
- },
- {
- "name": "seconds_to_resolved",
- "type": "int"
- },
- {
- "name": "seconds_to_triaged",
- "type": "int"
- },
- {
- "name": "show_in_ui",
- "type": "boolean"
- },
- {
- "name": "status",
- "type": "string"
- }
- ]
- },
- "Custom-Crowdstrike-HOSTS": {
- "columns": [
- {
- "name": "agent_load_flags",
- "type": "string"
- },
- {
- "name": "agent_local_time",
- "type": "string"
- },
- {
- "name": "agent_version",
- "type": "string"
- },
- {
- "name": "base_image_version",
- "type": "string"
- },
- {
- "name": "bios_manufacturer",
- "type": "string"
- },
- {
- "name": "bios_version",
- "type": "string"
- },
- {
- "name": "build_number",
- "type": "string"
- },
- {
- "name": "chassis_type",
- "type": "string"
- },
- {
- "name": "chassis_type_desc",
- "type": "string"
- },
- {
- "name": "cid",
- "type": "string"
- },
- {
- "name": "config_id_base",
- "type": "string"
- },
- {
- "name": "config_id_build",
- "type": "string"
- },
- {
- "name": "config_id_platform",
- "type": "string"
- },
- {
- "name": "connection_ip",
- "type": "string"
- },
- {
- "name": "connection_mac_address",
- "type": "string"
- },
- {
- "name": "cpu_signature",
- "type": "string"
- },
- {
- "name": "cpu_vendor",
- "type": "string"
- },
- {
- "name": "default_gateway_ip",
- "type": "string"
- },
- {
- "name": "deployment_type",
- "type": "string"
- },
- {
- "name": "detection_suppression_status",
- "type": "string"
- },
- {
- "name": "device_id",
- "type": "string"
- },
- {
- "name": "device_policies",
- "type": "dynamic"
- },
- {
- "name": "email",
- "type": "string"
- },
- {
- "name": "external_ip",
- "type": "string"
- },
- {
- "name": "filesystem_containment_status",
- "type": "string"
- },
- {
- "name": "first_login_timestamp",
- "type": "string"
- },
- {
- "name": "first_seen",
- "type": "string"
- },
- {
- "name": "group_hash",
- "type": "string"
- },
- {
- "name": "groups",
- "type": "dynamic"
- },
- {
- "name": "host_hidden_status",
- "type": "string"
- },
- {
- "name": "host_utc_offset",
- "type": "string"
- },
- {
- "name": "hostname",
- "type": "string"
- },
- {
- "name": "instance_id",
- "type": "string"
- },
- {
- "name": "internet_exposure",
- "type": "string"
- },
- {
- "name": "k8s_cluster_git_version",
- "type": "string"
- },
- {
- "name": "k8s_cluster_id",
- "type": "string"
- },
- {
- "name": "k8s_cluster_version",
- "type": "string"
- },
- {
- "name": "kernel_version",
- "type": "string"
- },
- {
- "name": "last_login_timestamp",
- "type": "string"
- },
- {
- "name": "last_login_uid",
- "type": "string"
- },
- {
- "name": "last_login_user",
- "type": "string"
- },
- {
- "name": "last_login_user_sid",
- "type": "string"
- },
- {
- "name": "last_reboot",
- "type": "string"
- },
- {
- "name": "last_seen",
- "type": "string"
- },
- {
- "name": "linux_sensor_mode",
- "type": "string"
- },
- {
- "name": "local_ip",
- "type": "string"
- },
- {
- "name": "mac_address",
- "type": "string"
- },
- {
- "name": "machine_domain",
- "type": "string"
- },
- {
- "name": "major_version",
- "type": "string"
- },
- {
- "name": "managed_apps",
- "type": "dynamic"
- },
- {
- "name": "meta",
- "type": "dynamic"
- },
- {
- "name": "migration_completed_time",
- "type": "string"
- },
- {
- "name": "minor_version",
- "type": "string"
- },
- {
- "name": "modified_timestamp",
- "type": "string"
- },
- {
- "name": "notes",
- "type": "dynamic"
- },
- {
- "name": "os_build",
- "type": "string"
- },
- {
- "name": "os_product_name",
- "type": "string"
- },
- {
- "name": "os_version",
- "type": "string"
- },
- {
- "name": "ou",
- "type": "dynamic"
- },
- {
- "name": "platform_id",
- "type": "string"
- },
- {
- "name": "platform_name",
- "type": "string"
- },
- {
- "name": "pod_annotations",
- "type": "dynamic"
- },
- {
- "name": "pod_host_ip4",
- "type": "string"
- },
- {
- "name": "pod_host_ip6",
- "type": "string"
- },
- {
- "name": "pod_hostname",
- "type": "string"
- },
- {
- "name": "pod_id",
- "type": "string"
- },
- {
- "name": "pod_ip4",
- "type": "string"
- },
- {
- "name": "pod_ip6",
- "type": "string"
- },
- {
- "name": "pod_labels",
- "type": "dynamic"
- },
- {
- "name": "pod_name",
- "type": "string"
- },
- {
- "name": "pod_namespace",
- "type": "string"
- },
- {
- "name": "pod_service_account_name",
- "type": "string"
- },
- {
- "name": "pointer_size",
- "type": "string"
- },
- {
- "name": "policies",
- "type": "dynamic"
- },
- {
- "name": "product_type",
- "type": "string"
- },
- {
- "name": "product_type_desc",
- "type": "string"
- },
- {
- "name": "provision_status",
- "type": "string"
- },
- {
- "name": "reduced_functionality_mode",
- "type": "string"
- },
- {
- "name": "release_group",
- "type": "string"
- },
- {
- "name": "rtr_state",
- "type": "string"
- },
- {
- "name": "serial_number",
- "type": "string"
- },
- {
- "name": "service_pack_major",
- "type": "string"
- },
- {
- "name": "service_pack_minor",
- "type": "string"
- },
- {
- "name": "service_provider",
- "type": "string"
- },
- {
- "name": "service_provider_account_id",
- "type": "string"
- },
- {
- "name": "site_name",
- "type": "string"
- },
- {
- "name": "status",
- "type": "string"
- },
- {
- "name": "system_manufacturer",
- "type": "string"
- },
- {
- "name": "system_product_name",
- "type": "string"
- },
- {
- "name": "tags",
- "type": "dynamic"
- }
- ]
- }
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
},
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections4')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "CrowdStrikeDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
+ "properties": {
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId4')]",
"destinations": {
"logAnalytics": [
{
@@ -9603,53 +8802,43 @@
"dataFlows": [
{
"streams": [
- "Custom-Crowdstrike-VULNERABILITIES"
+ "Microsoft-SentinelCrowdStrikeVulnerabilities"
],
"destinations": [
"clv2ws1"
- ],
- "transformKql": "source | project TimeGenerated = now(), Id = tostring(id), Cid = tostring(cid), Aid = tostring(aid), VulnerabilityId = tostring(vulnerability_id), DataProviders = todynamic(data_providers), CreatedTimestamp = todatetime(created_timestamp), UpdatedTimestamp = todatetime(updated_timestamp), Status = tostring(status), Apps = todynamic(apps), SuppressionInfo = todynamic(suppression_info), Confidence = tostring(confidence), App = todynamic(app), Cve = todynamic(cve), HostInfo = todynamic(host_info), Remediation = todynamic(remediation)",
- "outputStream": "Microsoft-CrowdStrikeVulnerabilities"
+ ]
},
{
"streams": [
- "Custom-Crowdstrike-ALERTS"
+ "Microsoft-SentinelCrowdStrikeAlerts"
],
"destinations": [
"clv2ws1"
- ],
- "transformKql": "source | project TimeGenerated = now(), AgentId = tostring(agent_id), AggregateId = tostring(aggregate_id), AssignedToName = tostring(assigned_to_name), AssignedToUid = tostring(assigned_to_uid), AssignedToUuid = tostring(assigned_to_uuid), Cid = tostring(cid), CompositeId = tostring(composite_id), Confidence = toint(confidence), CrawledTimestamp = todatetime(crawled_timestamp), CreatedTimestamp = todatetime(created_timestamp), DataDomains = todynamic(data_domains), Description = tostring(description), DisplayName = tostring(display_name), EmailSent = tobool(email_sent), External = tobool(external), Id = tostring(id), Name = tostring(name), Objective = tostring(objective), PatternId = toint(pattern_id), Platform = tostring(platform), Product = tostring(product), Scenario = tostring(scenario), SecondsToResolved = toint(seconds_to_resolved), SecondsToTriaged = toint(seconds_to_triaged), Severity = toint(severity), SeverityName = tostring(severity_name), ShowInUi = tobool(show_in_ui), SourceProducts = todynamic(source_products), SourceVendors = todynamic(source_vendors), Status = tostring(status), Tactic = tostring(tactic), TacticId = tostring(tactic_id), Tags = todynamic(tags), Technique = tostring(technique), TechniqueId = tostring(technique_id), Timestamp = todatetime(timestamp), AlertType = tostring(type), UpdatedTimestamp = todatetime(updated_timestamp)",
- "outputStream": "Microsoft-CrowdStrikeAlerts"
+ ]
},
{
"streams": [
- "Custom-Crowdstrike-INCIDENTS"
+ "Microsoft-SentinelCrowdStrikeIncidents"
],
"destinations": [
"clv2ws1"
- ],
- "transformKql": "source | project TimeGenerated = now(), AssignedTo = tostring(assigned_to), AssignedToName = tostring(assigned_to_name), Cid = tostring(cid), Created = todatetime(created), Description = tostring(description), EmailState = tostring(email_state), End = todatetime(end), EventsHistogram = todynamic(events_histogram), FineScore = toint(fine_score), GroupingIds = todynamic(grouping_ids), HostIds = todynamic(host_ids), Hosts = todynamic(hosts), IncidentId = tostring(incident_id), IncidentType = toint(incident_type), LmHostIds = todynamic(lm_host_ids), LmHostsCapped = tobool(lm_hosts_capped), LmTypes = toint(lm_types), LmraHostIds = todynamic(lmra_host_ids), LmraHostsCapped = tobool(lmra_hosts_capped), ModifiedTimestamp = todatetime(modified_timestamp), Name = tostring(name), Objectives = todynamic(objectives), Start = todatetime(start), State = tostring(state), Status = toint(status), Tactics = todynamic(tactics), Tags = todynamic(tags), Techniques = todynamic(techniques), Users = todynamic(users)",
- "outputStream": "Microsoft-CrowdStrikeIncidents"
+ ]
},
{
"streams": [
- "Custom-Crowdstrike-DETECTIONS"
+ "Microsoft-SentinelCrowdStrikeDetections"
],
"destinations": [
"clv2ws1"
- ],
- "transformKql": "source | project TimeGenerated = now(), AdversaryIds = todynamic(adversary_ids), AssignedToName = tostring(assigned_to_name), AssignedToUid = tostring(assigned_to_uid), Behaviors = todynamic(behaviors), BehaviorsProcessed = todynamic(behaviors_processed), Cid = tostring(cid), CreatedTimestamp = todatetime(created_timestamp), DateUpdated = tostring(date_updated), DetectionId = tostring(detection_id), Device = todynamic(device), EmailSent = tobool(email_sent), FirstBehaviorTime = todatetime(first_behavior), HostInfo = todynamic(host_info), LastBehavior = todatetime(last_behavior), MaxConfidence = toint(max_confidence), MaxSeverity = toint(max_severity), MaxSeverityDisplayName = tostring(max_severity_displayname), OverwatchNotes = tostring(overwatch_notes), QuarantinedFiles = todynamic(quarantined_files), SecondsToResolved = toint(seconds_to_resolved), SecondsToTriaged = toint(seconds_to_triaged), ShowInUi = tobool(show_in_ui), Status = tostring(status)",
- "outputStream": "Microsoft-CrowdStrikeDetections"
+ ]
},
{
"streams": [
- "Custom-Crowdstrike-HOSTS"
+ "Microsoft-SentinelCrowdStrikeHosts"
],
"destinations": [
"clv2ws1"
- ],
- "transformKql": "source | project TimeGenerated = now(), AgentLoadFlags = tostring(agent_load_flags), AgentLocalTime = tostring(agent_local_time), AgentVersion = tostring(agent_version), BaseImageVersion = tostring(base_image_version), BiosManufacturer = tostring(bios_manufacturer), BiosVersion = tostring(bios_version), BuildNumber = tostring(build_number), ChassisType = tostring(chassis_type), ChassisTypeDesc = tostring(chassis_type_desc), Cid = tostring(cid), ConfigIdBase = tostring(config_id_base), ConfigIdBuild = tostring(config_id_build), ConfigIdPlatform = tostring(config_id_platform), ConnectionIp = tostring(connection_ip), ConnectionMacAddress = tostring(connection_mac_address), CpuSignature = tostring(cpu_signature), CpuVendor = tostring(cpu_vendor), DefaultGatewayIp = tostring(default_gateway_ip), DeploymentType = tostring(deployment_type), DetectionSuppressionStatus = tostring(detection_suppression_status), DeviceId = tostring(device_id), DevicePolicies = todynamic(device_policies), Email = tostring(email), ExternalIp = tostring(external_ip), FilesystemContainmentStatus = tostring(filesystem_containment_status), FirstLoginTimestamp = tostring(first_login_timestamp), FirstSeen = tostring(first_seen), GroupHash = tostring(group_hash), Groups = todynamic(groups), HostHiddenStatus = tostring(host_hidden_status), HostUtcOffset = tostring(host_utc_offset), Hostname = tostring(hostname), InstanceId = tostring(instance_id), InternetExposure = tostring(internet_exposure), K8sClusterGitVersion = tostring(k8s_cluster_git_version), K8sClusterId = tostring(k8s_cluster_id), K8sClusterVersion = tostring(k8s_cluster_version), KernelVersion = tostring(kernel_version), LastLoginTimestamp = tostring(last_login_timestamp), LastLoginUid = tostring(last_login_uid), LastLoginUser = tostring(last_login_user), LastLoginUserSid = tostring(last_login_user_sid), LastReboot = tostring(last_reboot), LastSeen = tostring(last_seen), LinuxSensorMode = tostring(linux_sensor_mode), LocalIp = tostring(local_ip), MacAddress = tostring(mac_address), MachineDomain = tostring(machine_domain), MajorVersion = tostring(major_version), ManagedApps = todynamic(managed_apps), Meta = todynamic(meta), MigrationCompletedTime = tostring(migration_completed_time), MinorVersion = tostring(minor_version), ModifiedTimestamp = tostring(modified_timestamp), Notes = todynamic(notes), OsBuild = tostring(os_build), OsProductName = tostring(os_product_name), OsVersion = tostring(os_version), Ou = todynamic(ou), PlatformId = tostring(platform_id), PlatformName = tostring(platform_name), PodAnnotations = todynamic(pod_annotations), PodHostIp4 = tostring(pod_host_ip4), PodHostIp6 = tostring(pod_host_ip6), PodHostname = tostring(pod_hostname), PodId = tostring(pod_id), PodIp4 = tostring(pod_ip4), PodIp6 = tostring(pod_ip6), PodLabels = todynamic(pod_labels), PodName = tostring(pod_name), PodNamespace = tostring(pod_namespace), PodServiceAccountName = tostring(pod_service_account_name), PointerSize = tostring(pointer_size), Policies = todynamic(policies), ProductType = tostring(product_type), ProductTypeDesc = tostring(product_type_desc), ProvisionStatus = tostring(provision_status), ReducedFunctionalityMode = tostring(reduced_functionality_mode), ReleaseGroup = tostring(release_group), RtrState = tostring(rtr_state), SerialNumber = tostring(serial_number), ServicePackMajor = tostring(service_pack_major), ServicePackMinor = tostring(service_pack_minor), ServiceProvider = tostring(service_provider), ServiceProviderAccountId = tostring(service_provider_account_id), SiteName = tostring(site_name), Status = tostring(status), SystemManufacturer = tostring(system_manufacturer), SystemProductName = tostring(system_product_name), Tags = todynamic(tags)",
- "outputStream": "Microsoft-CrowdStrikeHosts"
+ ]
}
]
}
@@ -9674,7 +8863,7 @@
"properties": {
"connectorUiConfig": {
"id": "CrowdStrikeAPICCPDefinition",
- "title": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
+ "title": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [CrowdStrike Data Connector](https://www.crowdstrike.com/) allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Platform and uses the CrowdStrike API to fetch logs for Alerts, Detections, Hosts, Incidents, and Vulnerabilities. It supports DCR-based ingestion time transformations so that queries can run more efficiently.",
"graphQueriesTableName": "CrowdStrikeVulnerabilities",
@@ -9751,13 +8940,12 @@
],
"connectivityCriteria": [
{
- "type": "HasDataConnectors",
- "value": null
+ "type": "HasDataConnectors"
}
],
"availability": {
- "status": 1,
- "isPreview": false
+ "isPreview": true,
+ "status": 1
},
"permissions": {
"resourceProvider": [
@@ -9767,16 +8955,17 @@
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
- "read": true,
"write": true,
- "delete": true,
- "action": false
+ "read": true,
+ "delete": true
}
}
]
},
"instructionSteps": [
{
+ "title": "Configuration steps for the CrowdStrike API",
+ "description": "Follow the instructions below to obtain your CrowdStrike API credentials.",
"instructions": [
{
"type": "Markdown",
@@ -9797,22 +8986,22 @@
}
},
{
+ "type": "Textbox",
"parameters": {
"label": "Base API URL",
"placeholder": "https://api.us-2.crowdstrike.com",
"type": "text",
"name": "apiUrl"
- },
- "type": "Textbox"
+ }
},
{
+ "type": "Textbox",
"parameters": {
"label": "Client ID",
"placeholder": "Your Client ID",
"type": "text",
"name": "clientId"
- },
- "type": "Textbox"
+ }
},
{
"type": "Textbox",
@@ -9824,11 +9013,12 @@
}
},
{
+ "type": "ConnectionToggleButton",
"parameters": {
- "label": "toggle",
+ "connectLabel": "Connect",
+ "disconnectLabel": "Disconnect",
"name": "toggle"
- },
- "type": "ConnectionToggleButton"
+ }
}
]
}
@@ -9882,7 +9072,7 @@
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnections4')]",
- "displayName": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
+ "displayName": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"contentKind": "ResourcesDataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
@@ -9897,7 +9087,7 @@
"type": "securestring"
},
"connectorDefinitionName": {
- "defaultValue": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
+ "defaultValue": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"type": "securestring",
"minLength": 1
},
@@ -9959,211 +9149,166 @@
}
},
{
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeVulnerabilities', parameters('guidValue'))]",
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeVulnerabilitiesPoller', parameters('guidValue'))]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
- "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
- "dataType": "CrowdStrikeVulnerabilities",
"auth": {
"type": "OAuth2",
"ClientId": "[[parameters('clientId')]",
"ClientSecret": "[[parameters('clientSecret')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[[concat(parameters('apiUrl'),'/oauth2/token')]",
- "tokenEndpointHeaders": {
+ "TokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
},
"request": {
- "httpMethod": "Get",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/spotlight/queries/vulnerabilities/v1')]",
- "queryParameters": {
- "filter": "updated_timestamp:>'{_QueryWindowStartTime}'+updated_timestamp:<='{_QueryWindowEndTime}'",
- "sort": "updated_timestamp.asc"
- },
+ "apiEndpoint": "[[concat(parameters('apiUrl'),'/spotlight/combined/vulnerabilities/v1')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 68,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "Scuba"
},
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5
+ "queryParameters": {
+ "filter": "updated_timestamp:>'{_QueryWindowStartTime}'+updated_timestamp:<='{_QueryWindowEndTime}'",
+ "sort": "updated_timestamp.asc"
+ }
},
"response": {
"eventsJsonPaths": [
- ""
- ]
- },
- "stepInfo": {
- "stepType": "Nested",
- "nextSteps": [
- {
- "stepId": "vuln_details",
- "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project resources = res['resources'] | mvexpand resources | summarize by Url_PlaceHolder = tostring(resources)"
- }
- ]
+ "$.resources"
+ ],
+ "format": "json"
},
- "stepCollectorConfigs": {
- "vuln_details": {
- "shouldJoinNestedData": false,
- "request": {
- "httpMethod": "Get",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/spotlight/entities/vulnerabilities/v2?ids=$Url_PlaceHolder$')]",
- "logResponseContent": true,
- "headers": {
- "Content-Type": "application/json",
- "Accept": "application/json",
- "User-Agent": "scuba"
- }
- },
- "response": {
- "eventsJsonPaths": [
- "$.resources"
- ]
- }
- }
+ "paging": {
+ "pagingType": "NextPageToken",
+ "nextPageTokenJsonPath": "$.meta.pagination.after",
+ "NextPageParaName": "after",
+ "pageSize": 100,
+ "pageSizeParameterName": "limit"
},
+ "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
+ "dataType": "CrowdStrikeVulnerabilities",
"dcrConfig": {
- "streamName": "Custom-Crowdstrike-VULNERABILITIES",
+ "streamName": "SENTINEL_CROWDSTRIKEVULNERABILITIES",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
- },
- "paging": {
- "pagingType": "PersistentToken",
- "nextPageParaName": "after",
- "nextPageTokenJsonPath": "$.meta.pagination.after",
- "pageSizeParameterName": "limit",
- "pageSize": 400
}
}
},
{
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeAlerts', parameters('guidValue'))]",
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeAlertsPoller', parameters('guidValue'))]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
- "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
- "dataType": "CrowdStrikeAlerts",
"auth": {
"type": "OAuth2",
"ClientId": "[[parameters('clientId')]",
"ClientSecret": "[[parameters('clientSecret')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[[concat(parameters('apiUrl'),'/oauth2/token')]",
- "tokenEndpointHeaders": {
+ "TokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
},
"request": {
- "httpMethod": "Get",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/alerts/queries/alerts/v2')]",
+ "apiEndpoint": "[[concat(parameters('apiUrl'),'/alerts/combined/alerts/v1')]",
+ "httpMethod": "POST",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 91,
+ "isPostPayloadJson": true,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "Scuba"
},
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5,
- "queryParameters": {
- "filter": "created_timestamp:>'{_QueryWindowStartTime}'+created_timestamp:<='{_QueryWindowEndTime}'",
- "sort": "created_timestamp.asc"
- }
+ "queryParametersTemplate": "{\r\n \"filter\": \"created_timestamp:>'{_QueryWindowStartTime}'+created_timestamp:<='{_QueryWindowEndTime}'\",\r\n \"sort\": \"created_timestamp.asc\"\r\n }"
},
"response": {
"eventsJsonPaths": [
- ""
- ]
- },
- "stepInfo": {
- "stepType": "Nested",
- "nextSteps": [
- {
- "stepId": "alerts_details",
- "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project composite_ids = res['resources'] | mvexpand composite_ids | project Url_PlaceHolder = composite_ids"
- }
- ]
+ "$.resources"
+ ],
+ "format": "json"
},
- "stepCollectorConfigs": {
- "alerts_details": {
- "shouldJoinNestedData": false,
- "request": {
- "httpMethod": "Post",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/alerts/entities/alerts/v2')]",
- "queryParametersTemplate": "{'composite_ids': ['$Url_PlaceHolder$']}",
- "logResponseContent": true,
- "isPostPayloadJson": true,
- "headers": {
- "Content-Type": "application/json",
- "Accept": "application/json",
- "User-Agent": "scuba"
- }
- },
- "response": {
- "eventsJsonPaths": [
- "$.resources"
- ]
- }
- }
+ "paging": {
+ "pagingType": "PersistentToken",
+ "nextPageTokenJsonPath": "$.meta.pagination.after",
+ "nextPageParaName": "after",
+ "pageSize": 100
},
+ "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
+ "dataType": "CrowdStrikeAlerts",
"dcrConfig": {
- "streamName": "Custom-Crowdstrike-ALERTS",
+ "streamName": "SENTINEL_CROWDSTRIKEALERTS",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
- },
- "Paging": {
- "pagingType": "Offset",
- "offsetParaName": "offset",
- "PageSizeParameterName": "limit",
- "PageSize": 400
}
}
},
{
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeIncidents', parameters('guidValue'))]",
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeIncidentsPoller', parameters('guidValue'))]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
- "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
- "dataType": "CrowdStrikeIncidents",
"auth": {
"type": "OAuth2",
"ClientId": "[[parameters('clientId')]",
"ClientSecret": "[[parameters('clientSecret')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[[concat(parameters('apiUrl'),'/oauth2/token')]",
- "tokenEndpointHeaders": {
+ "TokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
},
"request": {
- "httpMethod": "Get",
"apiEndpoint": "[[concat(parameters('apiUrl'),'/incidents/queries/incidents/v1')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 7,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 60,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "Scuba"
},
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5,
"queryParameters": {
"filter": "modified_timestamp:>'{_QueryWindowStartTime}'+modified_timestamp:<='{_QueryWindowEndTime}'",
- "sort": "modified_timestamp.asc"
+ "sort": "modified_timestamp.asc",
+ "limit": "500"
}
},
"response": {
"eventsJsonPaths": [
""
- ]
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "offset",
+ "pageSize": 500,
+ "pageSizeParameterName": "limit"
},
"stepInfo": {
"stepType": "Nested",
@@ -10178,151 +9323,124 @@
"incidents_details": {
"shouldJoinNestedData": false,
"request": {
- "httpMethod": "Post",
"apiEndpoint": "[[concat(parameters('apiUrl'),'/incidents/entities/incidents/GET/v1')]",
- "queryParametersTemplate": "{'ids': ['$Url_PlaceHolder$']}",
+ "httpMethod": "POST",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "retryCount": 3,
+ "timeoutInSeconds": 65,
"logResponseContent": true,
"isPostPayloadJson": true,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "scuba"
- }
+ },
+ "queryParametersTemplate": "{'ids': ['$Url_PlaceHolder$']}"
},
"response": {
"eventsJsonPaths": [
"$.resources"
- ]
+ ],
+ "format": "json"
}
}
},
+ "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
+ "dataType": "CrowdStrikeIncidents",
"dcrConfig": {
- "streamName": "Custom-Crowdstrike-INCIDENTS",
+ "streamName": "SENTINEL_CROWDSTRIKEINCIDENTS",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
- },
- "Paging": {
- "pagingType": "Offset",
- "offsetParaName": "offset",
- "PageSizeParameterName": "limit",
- "PageSize": 400
}
}
},
{
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeDetections', parameters('guidValue'))]",
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeDetectionsPoller', parameters('guidValue'))]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
- "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
- "dataType": "CrowdStrikeDetections",
"auth": {
"type": "OAuth2",
"ClientId": "[[parameters('clientId')]",
"ClientSecret": "[[parameters('clientSecret')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[[concat(parameters('apiUrl'),'/oauth2/token')]",
- "tokenEndpointHeaders": {
+ "TokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
},
"request": {
- "httpMethod": "Get",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/detects/queries/detects/v1')]",
+ "apiEndpoint": "[[concat(parameters('apiUrl'),'/alerts/combined/alerts/v1')]",
+ "httpMethod": "POST",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 6,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 70,
+ "isPostPayloadJson": true,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "Scuba"
},
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5,
- "queryParameters": {
- "filter": "first_behavior:>'{_QueryWindowStartTime}'+first_behavior:<='{_QueryWindowEndTime}'",
- "sort": "first_behavior.asc"
- }
+ "queryParametersTemplate": "{\r\n \"filter\": \"product:'epp'+created_timestamp:>'{_QueryWindowStartTime}'+created_timestamp:<='{_QueryWindowEndTime}'+type:'ldt'\",\r\n \"sort\": \"created_timestamp.asc\"\r\n }"
},
"response": {
"eventsJsonPaths": [
- ""
- ]
- },
- "stepInfo": {
- "stepType": "Nested",
- "nextSteps": [
- {
- "stepId": "detections_details",
- "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project resources = res['resources'] | mvexpand resources | project Url_PlaceHolder = resources"
- }
- ]
+ "$.resources"
+ ],
+ "format": "json"
},
- "stepCollectorConfigs": {
- "detections_details": {
- "shouldJoinNestedData": false,
- "request": {
- "httpMethod": "Post",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/detects/entities/summaries/GET/v1')]",
- "queryParametersTemplate": "{'ids': ['$Url_PlaceHolder$']}",
- "logResponseContent": true,
- "isPostPayloadJson": true,
- "headers": {
- "Content-Type": "application/json",
- "Accept": "application/json",
- "User-Agent": "scuba"
- }
- },
- "response": {
- "eventsJsonPaths": [
- "$.resources"
- ]
- }
- }
+ "paging": {
+ "pagingType": "PersistentToken",
+ "nextPageTokenJsonPath": "$.meta.pagination.after",
+ "nextPageParaName": "after",
+ "pageSize": 100
},
+ "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
+ "dataType": "CrowdStrikeDetections",
"dcrConfig": {
- "streamName": "Custom-Crowdstrike-DETECTIONS",
+ "streamName": "SENTINEL_CROWDSTRIKEDETECTIONS",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
- },
- "Paging": {
- "pagingType": "Offset",
- "offsetParaName": "offset",
- "PageSizeParameterName": "limit",
- "PageSize": 400
}
}
},
{
- "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeHosts', parameters('guidValue'))]",
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CrowdStrikeHostsPoller', parameters('guidValue'))]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
"kind": "RestApiPoller",
"properties": {
- "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
- "dataType": "CrowdStrikeHosts",
"auth": {
"type": "OAuth2",
"ClientId": "[[parameters('clientId')]",
"ClientSecret": "[[parameters('clientSecret')]",
"GrantType": "client_credentials",
"TokenEndpoint": "[[concat(parameters('apiUrl'),'/oauth2/token')]",
- "tokenEndpointHeaders": {
+ "TokenEndpointHeaders": {
"Accept": "application/json",
"Content-Type": "application/x-www-form-urlencoded"
}
},
"request": {
- "httpMethod": "Get",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/devices/queries/devices/v1')]",
+ "apiEndpoint": "[[concat(parameters('apiUrl'),'/devices/combined/devices/v1')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 10,
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 63,
"headers": {
"Content-Type": "application/json",
"Accept": "application/json",
"User-Agent": "Scuba"
},
- "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
- "queryWindowInMin": 5,
"queryParameters": {
"filter": "last_seen:>'{_QueryWindowStartTime}'+last_seen:<='{_QueryWindowEndTime}'",
"sort": "last_seen.asc"
@@ -10330,50 +9448,23 @@
},
"response": {
"eventsJsonPaths": [
- ""
- ]
- },
- "stepInfo": {
- "stepType": "Nested",
- "nextSteps": [
- {
- "stepId": "hosts_details",
- "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project resources = res['resources'] | mvexpand resources | project Url_PlaceHolder = resources"
- }
- ]
+ "$.resources"
+ ],
+ "format": "json"
},
- "stepCollectorConfigs": {
- "hosts_details": {
- "shouldJoinNestedData": false,
- "request": {
- "httpMethod": "Post",
- "apiEndpoint": "[[concat(parameters('apiUrl'),'/devices/entities/devices/v2')]",
- "queryParametersTemplate": "{'ids': ['$Url_PlaceHolder$']}",
- "logResponseContent": true,
- "isPostPayloadJson": true,
- "headers": {
- "Content-Type": "application/json",
- "Accept": "application/json",
- "User-Agent": "scuba"
- }
- },
- "response": {
- "eventsJsonPaths": [
- "$.resources"
- ]
- }
- }
+ "paging": {
+ "pagingType": "NextPageToken",
+ "nextPageTokenJsonPath": "$.meta.pagination.next",
+ "NextPageParaName": "offset",
+ "pageSize": 100,
+ "pageSizeParameterName": "limit"
},
+ "connectorDefinitionName": "CrowdStrikeAPICCPDefinition",
+ "dataType": "CrowdStrikeHosts",
"dcrConfig": {
- "streamName": "Custom-Crowdstrike-HOSTS",
+ "streamName": "SENTINEL_CROWDSTRIKEHOSTS",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
- },
- "Paging": {
- "pagingType": "Offset",
- "offsetParaName": "offset",
- "PageSizeParameterName": "limit",
- "PageSize": 400
}
}
}
@@ -10397,7 +9488,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.1.5",
+ "description": "CrowdStrikeFalconEventStream Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject1').parserVersion1]",
@@ -10529,7 +9620,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdstrikeReplicator Data Parser with template version 3.1.5",
+ "description": "CrowdstrikeReplicator Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject2').parserVersion2]",
@@ -10661,7 +9752,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.1.5",
+ "description": "CrowdStrikeReplicatorV2 Data Parser with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserObject3').parserVersion3]",
@@ -10793,7 +9884,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.1.5",
+ "description": "CrowdStrikeFalconEndpointProtection Workbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('workbookVersion1')]",
@@ -10881,7 +9972,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.1.5",
+ "description": "CriticalOrHighSeverityDetectionsByUser_AnalyticalRules Analytics Rule with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]",
@@ -10909,18 +10000,18 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"entityMappings": [
{
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
@@ -10928,8 +10019,8 @@
{
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
],
"entityType": "Host"
@@ -10937,8 +10028,8 @@
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -10946,12 +10037,12 @@
{
"fieldMappings": [
{
- "columnName": "FileHashAlgo",
- "identifier": "Algorithm"
+ "identifier": "Algorithm",
+ "columnName": "FileHashAlgo"
},
{
- "columnName": "FileHashCustomEntity",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
}
],
"entityType": "FileHash"
@@ -11010,7 +10101,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.1.5",
+ "description": "CriticalSeverityDetection_AnalyticalRules Analytics Rule with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]",
@@ -11038,18 +10129,18 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "CefAma",
"dataTypes": [
"CommonSecurityLog"
- ]
+ ],
+ "connectorId": "CefAma"
}
],
"entityMappings": [
{
"fieldMappings": [
{
- "columnName": "AccountCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
@@ -11057,8 +10148,8 @@
{
"fieldMappings": [
{
- "columnName": "HostCustomEntity",
- "identifier": "FullName"
+ "identifier": "FullName",
+ "columnName": "HostCustomEntity"
}
],
"entityType": "Host"
@@ -11066,8 +10157,8 @@
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -11075,12 +10166,12 @@
{
"fieldMappings": [
{
- "columnName": "FileHashAlgo",
- "identifier": "Algorithm"
+ "identifier": "Algorithm",
+ "columnName": "FileHashAlgo"
},
{
- "columnName": "FileHashCustomEntity",
- "identifier": "Value"
+ "identifier": "Value",
+ "columnName": "FileHashCustomEntity"
}
],
"entityType": "FileHash"
@@ -11139,7 +10230,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CrowdStrike_Base Playbook with template version 3.1.5",
+ "description": "CrowdStrike_Base Playbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
@@ -11516,7 +10607,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.1.5",
+ "description": "Crowdstrike-EndpointEnrichment Playbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion2')]",
@@ -12971,7 +12062,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Crowdstrike-ContainHost Playbook with template version 3.1.5",
+ "description": "Crowdstrike-ContainHost Playbook with template version 3.1.6",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion3')]",
@@ -14086,12 +13177,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.1.5",
+ "version": "3.1.6",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "CrowdStrike Falcon Endpoint Protection",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CrowdStrike Falcon Endpoint Protection olution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.
\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.
\nData Connectors: 4, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe CrowdStrike Falcon Endpoint Protection solution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.
\nThis solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.
\nData Connectors: 4, Parsers: 3, Workbooks: 1, Analytic Rules: 2, Playbooks: 3
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md index 13a0a93f8fe..ef0d74a97ba 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.1.6 | 23-10-2025 | Updated *CrowdStrike API Data Connector* to fix deprecated detections API issues | | 3.1.5 | 22-08-2025 | Updated *CrowdStrike API Data Connector* to fix duplicate logs issues | | 3.1.4 | 04-07-2025 | Added new **CCF Connector** to the Solution *CrowdStrike API Data Connector*.