diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json index 2aa5ebf1934..b9877c86458 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json @@ -7,26 +7,26 @@ { "metricName": "Total data received", "legend": "Crowdstrike Indicators of Compromise", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" } ], "sampleQueries": [ { "description": "Threat Intel - Crowdstrike Indicators of Compromise", - "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" + "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" } ], "dataTypes": [ { "name": "IndicatorsOfCompromise", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" + "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" ] } ], diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json index d94f9b14ca8..8acc8b08f0f 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json @@ -30,7 +30,7 @@ "azuresentinel.azure-sentinel-solution-commoneventformat" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection", - "Version": "3.1.8", + "Version": "3.2.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.2.0.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.2.0.zip new file mode 100644 index 00000000000..628e02b781f Binary files /dev/null and b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.2.0.zip differ diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json index 1978aa99e9e..e4fabfbeb36 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json @@ -55,7 +55,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "CrowdStrike Falcon Endpoint Protection", - "_solutionVersion": "3.1.9", + "_solutionVersion": "3.2.0", "solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "CrowdstrikeReplicatorv2", @@ -156,9 +156,7 @@ "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]", "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]", "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]", - "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]", - "stepId": "incidents_details", - "_stepId": "[variables('stepId')]" + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { @@ -577,26 +575,26 @@ { "metricName": "Total data received", "legend": "Crowdstrike Indicators of Compromise", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" } ], "sampleQueries": [ { "description": "Threat Intel - Crowdstrike Indicators of Compromise", - "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" + "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" } ], "dataTypes": [ { "name": "IndicatorsOfCompromise", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" + "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" ] } ], @@ -769,27 +767,27 @@ { "metricName": "Total data received", "legend": "Crowdstrike Indicators of Compromise", - "baseQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" + "baseQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'" } ], "dataTypes": [ { "name": "IndicatorsOfCompromise", - "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + "lastDataReceivedQuery": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" } ], "connectivityCriterias": [ { "type": "IsConnectedQuery", "value": [ - "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" + "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(3d)" ] } ], "sampleQueries": [ { "description": "Threat Intel - Crowdstrike Indicators of Compromise", - "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" + "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc" } ], "availability": { @@ -9398,7 +9396,7 @@ "stepType": "Nested", "nextSteps": [ { - "stepId": "[variables('_stepId')]", + "stepId": "incidents_details", "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project resources = res['resources'] | mvexpand resources | project Url_PlaceHolder = resources" } ] @@ -10134,52 +10132,52 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Algorithm", - "columnName": "FileHashAlgo" + "columnName": "FileHashAlgo", + "identifier": "Algorithm" }, { - "identifier": "Value", - "columnName": "FileHashCustomEntity" + "columnName": "FileHashCustomEntity", + "identifier": "Value" } - ], - "entityType": "FileHash" + ] } ] } @@ -10263,52 +10261,52 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "CefAma", "dataTypes": [ "CommonSecurityLog" - ] + ], + "connectorId": "CefAma" } ], "entityMappings": [ { + "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "AccountCustomEntity" + "columnName": "AccountCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Account" + ] }, { + "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "HostCustomEntity" + "columnName": "HostCustomEntity", + "identifier": "FullName" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IPCustomEntity" + "columnName": "IPCustomEntity", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "FileHash", "fieldMappings": [ { - "identifier": "Algorithm", - "columnName": "FileHashAlgo" + "columnName": "FileHashAlgo", + "identifier": "Algorithm" }, { - "identifier": "Value", - "columnName": "FileHashCustomEntity" + "columnName": "FileHashCustomEntity", + "identifier": "Value" } - ], - "entityType": "FileHash" + ] } ] } diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md index 25b3fdc4f53..2304060853d 100644 --- a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md +++ b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------| +| 3.2.0 | 07-01-2026 | Updated *CrowdStrike Falcon Adversary Data Connector* Change table name to be "ThreatIntelIndicators" instead of "ThreatIntelligenceIndicator" | | 3.1.9 | 17-12-2025 | Updated *CrowdStrike API Data Connector* Enhance API configuration instructions with link | | 3.1.8 | 08-12-2025 | Updated *CrowdStrike API Data Connector* to fix rate limit exceptions by introducing retry logic. | | 3.1.7 | 12-11-2025 | Updated *CrowdStrike API Data Connector* to fix rate limit exceptions |