Merge pull request #279766 from cwatson-cat/7-1-24-cs-ti-dc

Sentinel auto gen data connector - add Crowdstrike Falcon AI

Author: JamesJBarnett

articles/sentinel/TOC.yml

@@ -466,6 +466,8 @@
       href: data-connectors/corelight-connector-exporter.md
     - name: Cortex XDR - Incidents
       href: data-connectors/cortex-xdr-incidents.md
+    - name: CrowdStrike Falcon Adversary Intelligence (using Azure Functions)
+      href: data-connectors/crowdstrike-falcon-adversary-intelligence.md
     - name: Crowdstrike Falcon Data Replicator (using Azure Functions)
       href: data-connectors/crowdstrike-falcon-data-replicator.md
     - name: Crowdstrike Falcon Data Replicator V2 (using Azure Functions)

articles/sentinel/data-connectors-reference.md

@@ -3,7 +3,7 @@ title: Find your Microsoft Sentinel data connector | Microsoft Docs
 description: Learn about specific configuration steps for Microsoft Sentinel data connectors.
 author: cwatson-cat
 ms.topic: reference
-ms.date: 06/28/2024
+ms.date: 07/01/2024
 ms.custom: linux-related-content
 ms.author: cwatson
 appliesto:
@@ -192,6 +192,7 @@ Contact the solution provider for more information or where information is unava
 ## Crowdstrike
 
 - [[Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent](data-connectors/deprecated-crowdstrike-falcon-endpoint-protection-via-legacy-agent.md)
+- [CrowdStrike Falcon Adversary Intelligence (using Azure Functions)](data-connectors/crowdstrike-falcon-adversary-intelligence.md)
 - [Crowdstrike Falcon Data Replicator (using Azure Functions)](data-connectors/crowdstrike-falcon-data-replicator.md)
 - [Crowdstrike Falcon Data Replicator V2 (using Azure Functions)](data-connectors/crowdstrike-falcon-data-replicator-v2.md)
 

articles/sentinel/data-connectors/crowdstrike-falcon-adversary-intelligence.md

@@ -0,0 +1,136 @@
+---
+title: "CrowdStrike Falcon Adversary Intelligence (using Azure Functions) connector for Microsoft Sentinel"
+description: "Learn how to install the connector CrowdStrike Falcon Adversary Intelligence (using Azure Functions) to connect your data source to Microsoft Sentinel."
+author: cwatson-cat
+ms.topic: how-to
+ms.date: 07/01/2024
+ms.service: microsoft-sentinel
+ms.author: cwatson
+ms.collection: sentinel-data-connector
+---
+
+# CrowdStrike Falcon Adversary Intelligence (using Azure Functions) connector for Microsoft Sentinel
+
+The [CrowdStrike](https://www.crowdstrike.com/) Falcon Indicators of Compromise connector retrieves the Indicators of Compromise from the Falcon Intel API and uploads them [Microsoft Sentinel Threat Intel](/azure/sentinel/understand-threat-intelligence).
+
+This is autogenerated content. For changes, contact the solution provider.
+
+## Connector attributes
+
+| Connector attribute | Description |
+| --- | --- |
+| **Azure function app code** | https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-Functionapp |
+| **Log Analytics table(s)** | IndicatorsOfCompromise<br/> |
+| **Data collection rules support** | Not currently supported |
+| **Supported by** | [Microsoft Corporation](https://support.microsoft.com) |
+
+## Query samples
+
+**Threat Intel - Crowdstrike Indicators of Compromise**
+
+   ```kusto
+ThreatIntelligenceIndicator
+ 
+   | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'
+ 
+   | sort by TimeGenerated desc
+   ```
+
+
+
+## Prerequisites
+
+To integrate with CrowdStrike Falcon Adversary Intelligence (using Azure Functions) make sure you have: 
+
+- **Microsoft.Web/sites permissions**: Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](/azure/azure-functions/).
+- **CrowdStrike API Client ID and Client Secret**: **CROWDSTRIKE_CLIENT_ID**, **CROWDSTRIKE_CLIENT_SECRET**, **CROWDSTRIKE_BASE_URL**. CrowdStrike credentials must have Indicators (Falcon Intelligence) read scope.
+
+
+## Vendor installation instructions
+
+
+**STEP 1 - [Generate CrowdStrike API credentials](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/).**
+
+
+
+Make sure 'Indicators (Falcon Intelligence)' scope has 'read' selected
+
+
+**STEP 2 - [Register an Entra App](/entra/identity-platform/quickstart-register-app) with client secret.**
+
+
+
+Provide the Entra App principal with 'Microsoft Sentinel Contributor' role assignment on the respective log analytics workspace. [How to assign roles on Azure](/azure/role-based-access-control/role-assignments-portal).
+
+
+**STEP 3 - Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function**
+
+> [!IMPORTANT]
+> Before deploying the CrowdStrike Falcon Indicator of Compromise connector, have the Workspace ID (can be copied from the following).
+
+
+Option 1 - Azure Resource Manager (ARM) Template
+
+Use this method for automated deployment of the CrowdStrike Falcon Adversary Intelligence connector using an ARM template.
+
+1. Select the following **Deploy to Azure** button. 
+
+	[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-azuredeploy)
+2. Provide the following parameters: CrowdStrikeClientId, CrowdStrikeClientSecret, CrowdStrikeBaseUrl, WorkspaceId, TenantId, Indicators, AadClientId, AadClientSecret, LookBackDays
+
+Option 2 - Manual Deployment of Azure Functions
+
+Use the following step-by-step instructions to deploy the CrowdStrike Falcon Adversary Intelligence connector manually with Azure Functions (Deployment via Visual Studio Code).
+
+
+**1. Deploy a Function App**
+
+You need to [prepare VS Code](/azure/azure-functions/functions-create-first-function-python#prerequisites) for Azure function development.
+
+1. Download the [Azure Function App](https://aka.ms/sentinel-CrowdStrikeFalconAdversaryIntelligence-Functionapp) file. Extract archive to your local development computer.
+2. Start VS Code. Choose File in the main menu and select Open Folder.
+3. Select the top level folder from extracted files.
+4. Choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose the **Deploy to function app** button.
+If you aren't already signed in, choose the Azure icon in the Activity bar, then in the **Azure: Functions** area, choose **Sign in to Azure**
+If you're already signed in, go to the next step.
+5. Provide the following information at the prompts:
+
+	a. **Select folder:** Choose a folder from your workspace or browse to one that contains your function app.
+
+	b. **Select Subscription:** Choose the subscription to use.
+
+	c. Select **Create new Function App in Azure** (Don't choose the Advanced option)
+
+	d. **Enter a globally unique name for the function app:** Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. CrowdStrikeFalconIOCXXXXX).
+
+	e. **Select a runtime:** Choose Python 3.9.
+
+	f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.
+
+6. Deployment will begin. A notification is displayed after your function app is created and the deployment package is applied.
+7. Go to Azure portal for the Function App configuration.
+
+
+**2. Configure the Function App**
+
+1. In the Function App, select the Function App Name and select **Configuration**.
+2. In the **Application settings** tab, select **New application setting**.
+3. Add each of the following application settings individually, with their respective string values (case-sensitive): 
+
+   - CROWDSTRIKE_CLIENT_ID
+   - CROWDSTRIKE_CLIENT_SECRET
+   - CROWDSTRIKE_BASE_URL
+   - TENANT_ID
+   - INDICATORS
+   - WorkspaceKey
+   - AAD_CLIENT_ID
+   - AAD_CLIENT_SECRET
+   - LOOK_BACK_DAYS
+   - WORKSPACE_ID  
+4. Once all application settings are entered, select **Save**.
+
+
+
+## Next steps
+
+For more information, go to the [related solution](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/azuresentinel.azure-sentinel-solution-crowdstrikefalconep?tab=Overview) in the Azure Marketplace.