Skip to content

[Crowdstrike Falcon Endpoint Protection] - update solution to include… #13006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-dvedak merged 3 commits into from
Oct 24, 2025
Merged

[Crowdstrike Falcon Endpoint Protection] - update solution to include… #13006

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
81c678e
[Crowdstrike Falcon Endpoint Protection] - update solution to include…
Oct 23, 2025
c7c5fe3
fix stream names
Oct 24, 2025
b392a6a
update release notes
Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
837 changes: 12 additions & 825 deletions ...ike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_DCR.json
View file
Open in desktop

Large diffs are not rendered by default.

333 changes: 167 additions & 166 deletions ...con Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,172 +1,173 @@
{
"name": "CrowdStrikeAPICCPDefinition",
"apiVersion": "2023-04-01-preview",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "CrowdStrikeAPICCPDefinition",
"title": "CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [CrowdStrike Data Connector](https://www.crowdstrike.com/) allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Platform and uses the CrowdStrike API to fetch logs for Alerts, Detections, Hosts, Incidents, and Vulnerabilities. It supports DCR-based ingestion time transformations so that queries can run more efficiently.",
"graphQueriesTableName": "CrowdStrikeVulnerabilities",
"graphQueries": [
{
"metricName": "Total Vulnerability logs received",
"legend": "CrowdStrike Vulnerability Logs",
"baseQuery": "{{graphQueriesTableName}}"
},
{
"metricName": "Total Alert logs received",
"legend": "CrowdStrike Alert Logs",
"baseQuery": "CrowdStrikeAlerts"
},
{
"metricName": "Total Incident logs received",
"legend": "CrowdStrike Incident Logs",
"baseQuery": "CrowdStrikeIncidents"
},
{
"metricName": "Total Detection logs received",
"legend": "CrowdStrike Detection Logs",
"baseQuery": "CrowdStrikeDetections"
},
{
"metricName": "Total Host logs received",
"legend": "CrowdStrike Host Logs",
"baseQuery": "CrowdStrikeHosts"
}
],
"sampleQueries": [
{
"description": "Get sample of CrowdStrike Vulnerability logs",
"query": "{{graphQueriesTableName}}\n | take 10"
},
{
"description": "Get sample of CrowdStrike Alert logs",
"query": "CrowdStrikeAlerts\n | take 10"
},
{
"description": "Get sample of CrowdStrike Incident logs",
"query": "CrowdStrikeIncidents\n | take 10"
},
{
"description": "Get sample of CrowdStrike Detection logs",
"query": "CrowdStrikeDetections\n | take 10"
},
{
"description": "Get sample of CrowdStrike Host logs",
"query": "CrowdStrikeHosts\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeAlerts",
"lastDataReceivedQuery": "CrowdStrikeAlerts\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeIncidents",
"lastDataReceivedQuery": "CrowdStrikeIncidents\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeDetections",
"lastDataReceivedQuery": "CrowdStrikeDetections\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeHosts",
"lastDataReceivedQuery": "CrowdStrikeHosts\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors",
"value": null
}
],
"availability": {
"status": 1,
"isPreview": false
"name": "CrowdStrikeAPICCPDefinition",
"apiVersion": "2024-09-01",
"type": "Microsoft.SecurityInsights/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "CrowdStrikeAPICCPDefinition",
"title": "CrowdStrike API Data Connector (via Codeless Connector Framework)",
"publisher": "Microsoft",
"descriptionMarkdown": "The [CrowdStrike Data Connector](https://www.crowdstrike.com/) allows ingesting logs from the CrowdStrike API into Microsoft Sentinel. This connector is built on the Microsoft Sentinel Codeless Connector Platform and uses the CrowdStrike API to fetch logs for Alerts, Detections, Hosts, Incidents, and Vulnerabilities. It supports DCR-based ingestion time transformations so that queries can run more efficiently.",
"graphQueriesTableName": "CrowdStrikeVulnerabilities",
"graphQueries": [
{
"metricName": "Total Vulnerability logs received",
"legend": "CrowdStrike Vulnerability Logs",
"baseQuery": "{{graphQueriesTableName}}"
},
{
"metricName": "Total Alert logs received",
"legend": "CrowdStrike Alert Logs",
"baseQuery": "CrowdStrikeAlerts"
},
{
"metricName": "Total Incident logs received",
"legend": "CrowdStrike Incident Logs",
"baseQuery": "CrowdStrikeIncidents"
},
{
"metricName": "Total Detection logs received",
"legend": "CrowdStrike Detection Logs",
"baseQuery": "CrowdStrikeDetections"
},
{
"metricName": "Total Host logs received",
"legend": "CrowdStrike Host Logs",
"baseQuery": "CrowdStrikeHosts"
}
],
"sampleQueries": [
{
"description": "Get sample of CrowdStrike Vulnerability logs",
"query": "{{graphQueriesTableName}}\n | take 10"
},
{
"description": "Get sample of CrowdStrike Alert logs",
"query": "CrowdStrikeAlerts\n | take 10"
},
{
"description": "Get sample of CrowdStrike Incident logs",
"query": "CrowdStrikeIncidents\n | take 10"
},
{
"description": "Get sample of CrowdStrike Detection logs",
"query": "CrowdStrikeDetections\n | take 10"
},
{
"description": "Get sample of CrowdStrike Host logs",
"query": "CrowdStrikeHosts\n | take 10"
}
],
"dataTypes": [
{
"name": "{{graphQueriesTableName}}",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeAlerts",
"lastDataReceivedQuery": "CrowdStrikeAlerts\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeIncidents",
"lastDataReceivedQuery": "CrowdStrikeIncidents\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeDetections",
"lastDataReceivedQuery": "CrowdStrikeDetections\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
},
{
"name": "CrowdStrikeHosts",
"lastDataReceivedQuery": "CrowdStrikeHosts\n | where TimeGenerated > ago(12h) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": true,
"status": 1
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
]
},
"instructionSteps": [
{
"title": "Configuration steps for the CrowdStrike API",
"description": "Follow the instructions below to obtain your CrowdStrike API credentials.",
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Configuration steps for the CrowdStrike API\nFollow the instructions below to obtain your CrowdStrike API credentials."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 1. Retrieve API URL\nLog in to your CrowdStrike Console and navigate to the API section to copy your Base API URL."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Retrieve Client Credentials\nObtain your Client ID and Client Secret from the API credentials section in your CrowdStrike account."
}
},
{
"type": "Textbox",
"parameters": {
"label": "Base API URL",
"placeholder": "https://api.us-2.crowdstrike.com",
"type": "text",
"name": "apiUrl"
}
},
{
"type": "Textbox",
"parameters": {
"label": "Client ID",
"placeholder": "Your Client ID",
"type": "text",
"name": "clientId"
}
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true,
"action": false
}
}
]
{
"type": "Textbox",
"parameters": {
"label": "Client Secret",
"placeholder": "Your Client Secret",
"type": "password",
"name": "clientSecret"
}
},
"instructionSteps": [
{
"instructions": [
{
"type": "Markdown",
"parameters": {
"content": "#### Configuration steps for the CrowdStrike API\nFollow the instructions below to obtain your CrowdStrike API credentials."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 1. Retrieve API URL\nLog in to your CrowdStrike Console and navigate to the API section to copy your Base API URL."
}
},
{
"type": "Markdown",
"parameters": {
"content": "#### 2. Retrieve Client Credentials\nObtain your Client ID and Client Secret from the API credentials section in your CrowdStrike account."
}
},
{
"parameters": {
"label": "Base API URL",
"placeholder": "https://api.us-2.crowdstrike.com",
"type": "text",
"name": "apiUrl"
},
"type": "Textbox"
},
{
"parameters": {
"label": "Client ID",
"placeholder": "Your Client ID",
"type": "text",
"name": "clientId"
},
"type": "Textbox"
},
{
"type": "Textbox",
"parameters": {
"label": "Client Secret",
"placeholder": "Your Client Secret",
"type": "password",
"name": "clientSecret"
}
},
{
"parameters": {
"label": "toggle",
"name": "toggle"
},
"type": "ConnectionToggleButton"
}
]
}
],
"isConnectivityCriteriasMatchSome": false
{
"type": "ConnectionToggleButton",
"parameters": {
"connectLabel": "Connect",
"disconnectLabel": "Disconnect",
"name": "toggle"
}
}
]
}
],
"isConnectivityCriteriasMatchSome": false
}
}
}
Loading