[Crowdstrike Falcon Endpoint Protection] - update solution to include… #13006
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… updated API data connector
AmirSasson
approved these changes
Oct 23, 2025
jlheard
previously approved these changes
Oct 23, 2025
Author
|
@microsoft-github-policy-service agree company="Microsoft" |
pagoudjo
approved these changes
Oct 23, 2025
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the CrowdStrike Falcon Endpoint Protection solution to version 3.1.6, addressing deprecated API issues in the CrowdStrike API Data Connector. The changes migrate the connector to use updated CrowdStrike API endpoints and improve the data collection configuration.
Key Changes:
- Updated API endpoints from deprecated "queries" endpoints to "combined" endpoints for Vulnerabilities, Alerts, Detections, and Hosts
- Migrated from nested API calls to direct combined endpoint calls, simplifying the data collection architecture
- Updated stream naming convention from
Custom-Crowdstrike-*toSENTINEL_CROWDSTRIKE*prefix - Removed data collection rule (DCR) stream declarations and transformKql configurations, as data transformations are now handled by the standard streams
Reviewed Changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Tools/Create-Azure-Sentinel-Solution/common/standardLogStreams.ps1 | Updated standard stream mapping keys and values to align with new SENTINEL_ prefix naming convention |
| Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md | Added version 3.1.6 release notes documenting the deprecated API fix |
| Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json | Updated solution version, connector descriptions, API configurations, and removed Preview labels |
| Solutions/CrowdStrike Falcon Endpoint Protection/Package/createUiDefinition.json | Fixed typo in solution description ("olution" to "solution") |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json | Updated solution version and added new data connector reference |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_PollingConfig.json | Migrated to combined API endpoints, updated configuration parameters, and removed nested API calls |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json | Updated connector definition with corrected JSON structure and removed Preview status |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_DCR.json | Removed extensive stream declarations and transformKql, simplified DCR configuration to use standard streams |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
v-sabiraj
approved these changes
Oct 24, 2025
Contributor
v-sabiraj
left a comment
v-sabiraj
left a comment
There was a problem hiding this comment.
From a solution perspective, it seems fine.
I trust that functional testing has been completed and the connector is operating as expected, since I noticed it was previously approved by some reviewers.
v-dvedak
approved these changes
Oct 24, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
… updated API data connector
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present:
Guidance <- remove section before submitting
Before submitting this PR please ensure that you have read the following sections and filled out the changes, reason for change and testing complete sections:
Thank you for your contribution to the Microsoft Sentinel Github repo.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Note: If updating a detection, you must update the version field.
Checked that the validations are passing and have addressed any issues that are present:
Note: Let us know if you have tried fixing the validation error and need help.