CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function)

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Connectors Index

Attribute Value
Connector ID CrowdstrikeReplicatorv2
Publisher Crowdstrike
Used in Solutions CrowdStrike Falcon Endpoint Protection
Collection Method Azure Function
Connector Definition Files CrowdstrikeReplicatorV2_ConnectorUI.json
Ingestion API HTTP Data Collector APIConnector definition requires workspace key (SharedKey pattern)

This connector enables the ingestion of FDR data into Microsoft Sentinel using Azure Functions to support the assessment of potential security risks, analysis of collaboration activities, identification of configuration issues, and other operational insights.

NOTE:

1. CrowdStrike FDR license must be available & enabled.

2. The connector uses a Key & Secret based authentication and is suitable for CrowdStrike Managed buckets.

3. For environments that use a fully owned AWS S3 bucket, Microsoft recommends using the CrowdStrike Falcon Data Replicator (AWS S3) connector.

Tables Ingested

This connector ingests data into the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
ASimAuditEventLogs
ASimAuthenticationEventLogs ?
ASimAuthenticationEventLogs_CL ? ?
ASimDnsActivityLogs
ASimFileEventLogs ?
ASimFileEventLogs_CL ? ?
ASimNetworkSessionLogs
ASimProcessEventLogs ?
ASimProcessEventLogs_CL ? ?
ASimRegistryEventLogs ?
ASimRegistryEventLogs_CL ? ?
ASimUserManagementActivityLogs ?
ASimUserManagementLogs_CL EventProduct == "Falcon Data Replicator"
EventVendor == "CrowdStrike"		 ? ?
CrowdStrike_Additional_Events_CL
CrowdStrike_Secondary_Data_CL ? ?

💡 Tip: Tables with Ingestion API support allow data ingestion via the Azure Monitor Data Collector API, which also enables custom transformations during ingestion.

Permissions

Resource Provider Permissions:

Custom Permissions:

Setup Instructions

⚠️ Note: These instructions were automatically generated from the connector's user interface definition file using AI and may not be fully accurate. Please verify all configuration steps in the Microsoft Sentinel portal.

NOTE: This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

(Optional Step) Securely store API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. Follow these instructions to use Azure Key Vault with an Azure Function App.

1. Prerequisites

  1. Configure FDR in CrowdStrike - You must contact the CrowdStrike support team to enable CrowdStrike FDR.
    • Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys.
    • You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region.
  2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application.
    • Follow the instructions here (steps 1-5) to get AAD Tenant Id, AAD Client Id and AAD Client Secret.
    • For AAD Principal Id of this application, access the AAD App through AAD Portal and capture Object Id from the application overview page.

2. Deployment Options

Choose ONE from the following two deployment options to deploy the connector and the associated Azure Function

3. Option 1 - Azure Resource Manager (ARM) Template

Use this method for automated deployment of the Crowdstrike Falcon Data Replicator connector V2 using an ARM Tempate.

  1. Click the Deploy to Azure button below.

    Deploy To Azure Deploy to Azure Gov

  2. Provide the required details such as Microsoft Sentinel Workspace, CrowdStrike AWS credentials, Azure AD Application details and ingestion configurations

NOTE: Within the same resource group, you can't mix Windows and Linux apps in the same region. Select existing resource group without Windows apps in it or create new resource group. It is recommended to create a new Resource Group for deployment of function app and associated resources.

  1. Mark the checkbox labeled I agree to the terms and conditions stated above.
  2. Click Purchase to deploy.

4. Option 2 - Manual Deployment of Azure Functions

Use the following step-by-step instructions to deploy the Crowdstrike Falcon Data Replicator connector manually with Azure Functions (Deployment via Visual Studio Code).

1. Deploy DCE, DCR and Custom Tables for data ingestion

  1. Deploy the required DCE, DCR(s) and the Custom Tables by using the Data Collection Resource ARM template
  2. After successful deployment of DCE and DCR(s), get the below information and keep it handy (required during Azure Functions app deployment).

2. Deploy a Function App

  1. Download the Azure Function App file. Extract archive to your local development computer.
  2. Follow the function app manual deployment instructions to deploy the Azure Functions app using VSCode.
  3. After successful deployment of the function app, follow next steps for configuring it.

3. Configure the Function App

  1. Go to Azure Portal for the Function App configuration.
  2. In the Function App, select the Function App Name and select Configuration.
  3. In the Application settings tab, select ** New application setting**.
  4. Add each of the following application settings individually, with their respective string values (case-sensitive): AWS_KEY AWS_SECRET AWS_REGION_NAME QUEUE_URL USER_SELECTION_REQUIRE_RAW //True if raw data is required USER_SELECTION_REQUIRE_SECONDARY //True if secondary data is required MAX_QUEUE_MESSAGES_MAIN_QUEUE // 100 for consumption and 150 for Premium MAX_SCRIPT_EXEC_TIME_MINUTES // add the value of 10 here AZURE_TENANT_ID AZURE_CLIENT_ID AZURE_CLIENT_SECRET DCE_INGESTION_ENDPOINT NORMALIZED_DCR_ID RAW_DATA_DCR_ID EVENT_TO_TABLE_MAPPING_LINK // File is present on github. Add if the file can be accessed using internet REQUIRED_FIELDS_SCHEMA_LINK //File is present on github. Add if the file can be accessed using internet Schedule //Add value as '0 */1 * * * *' to ensure the function runs every minute.
  5. Once all application settings have been entered, click Save.

Additional Documentation

📄 Source: [CrowdStrike Falcon Endpoint Protection\Data Connectors\CrowdstrikeReplicatorCLv2\README.md](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike Falcon Endpoint Protection\Data Connectors\CrowdstrikeReplicatorCLv2\README.md)

CrowdStrike Data connector based on CLv2 ingestion

This connector uses Azure Functions to connect to the AWS SQS / S3 to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the Azure Functions pricing page for details.

Prerequisites

  1. Configure FDR in CrowdStrike - You must contact the CrowdStrike support team to enable CrowdStrike FDR.
    1. Once CrowdStrike FDR is enabled, from the CrowdStrike console, navigate to Support --> API Clients and Keys.
    2. You need to Create new credentials to copy the AWS Access Key ID, AWS Secret Access Key, SQS Queue URL and AWS Region.
  2. Register AAD application - For DCR to authentiate to ingest data into log analytics, you must use AAD application.
    1. Follow the instructions here (steps 1-5) to get AAD Tenant Id, AAD Client Id and AAD Client Secret.
    2. For AAD Principal Id of this application, access the AAD App through AAD Portal and capture Object Id from the application overview page.

Deployment

Deploy to Azure

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

Back to Connectors Index