CrowdStrike Falcon Endpoint Protection
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.3.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2022-06-01 |
| Last Updated | 2026-03-17 |
| Solution Folder | CrowdStrike Falcon Endpoint Protection |
| Marketplace | Azure Marketplace · Rating: ★☆☆☆☆ 1.0/5 (1 ratings) · Popularity: 🟢 High (92%) |
| Pre-requisites | Common Event Format |
The CrowdStrike Falcon Endpoint Protection solution allows you to easily onboard CrowdStrike Falcon Endpoint Protection to Microsoft Sentinel. The data collected can be used to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.
This solution contains multiple Data Connectors that help ingest Falcon Data Replicator logs, Adversary Intelligence & other more specific data from CrowdStrike. Carefully review the capabilities of each connector and configure/enable the most relevant connector based on specific requirements.
Contents
Pre-requisites
This solution depends on 1 other solution(s):
| Solution |
|---|
| Common Event Format |
Data Connectors
This solution provides 4 data connector(s) (plus 2 discovered⚠️):
- CrowdStrike API Data Connector (via Codeless Connector Framework)
- CrowdStrike Falcon Adversary Intelligence
- [Deprecated] CrowdStrike Falcon Endpoint Protection via Legacy Agent ⚠️
- [Deprecated] CrowdStrike Falcon Endpoint Protection via AMA ⚠️
- CrowdStrike Falcon Data Replicator (AWS S3) (via Codeless Connector Framework)
- [DEPRECATED] CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function)
Connectors from dependency solutions:
- Common Event Format (CEF) (dependency on Common Event Format)
- Common Event Format (CEF) via AMA (dependency on Common Event Format)
🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.
Tables Used
This solution uses 29 table(s):
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
ThreatIntelIndicators |
CrowdStrike Falcon Adversary Intelligence | - |
Content Items
This solution includes 10 content item(s) (9 in solution, 1 discovered 🔍):
| Content Type | Total | In Solution | Discovered |
|---|---|---|---|
| Parsers | 4 | 3 | 1 |
| Playbooks | 3 | 3 | - |
| Analytic Rules | 2 | 2 | - |
| Workbooks | 1 | 1 | - |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Critical Severity Detection | High | - | CommonSecurityLog |
| Critical or High Severity Detections by User | High | - | - |
Workbooks
| Name | Tables Used |
|---|---|
| CrowdStrikeFalconEndpointProtection | CommonSecurityLog |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| Crowdstrike API authentication | This is Crowdstrike base template which is used to generate access token and this is used in actual ... | - |
| Endpoint enrichment - Crowdstrike | When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below a... | - |
| Isolate endpoint - Crowdstrike | When a new Microsoft Sentinel incident is created, this playbook gets triggered and performs below a... | - |
Parsers
| Name | Description | Tables Used |
|---|---|---|
| CrowdStrikeFalconEventStream | - | CommonSecurityLog (read) |
| CrowdStrikeReplicator | - | CrowdstrikeReplicatorLogs_CL (read) |
| CrowdStrikeReplicatorV2 | - | ASimAuditEventLogs (read)ASimAuthenticationEventLogs (read)ASimAuthenticationEventLogs_CL (read)ASimDnsActivityLogs (read)ASimFileEventLogs (read)ASimFileEventLogs_CL (read)ASimNetworkSessionLogs (read)ASimProcessEventLogs (read)ASimProcessEventLogs_CL (read)ASimRegistryEventLogs (read)ASimRegistryEventLogs_CL (read)ASimUserManagementActivityLogs (read)ASimUserManagementLogs_CL (read)CrowdStrike_Additional_Events_CL (read)CrowdStrike_Secondary_Data_CL (read) |
| CrowdStrikeReplicator_future ⚠️ | - | - |
⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.3.3 | 13-04-2026 | Deprecate CrowdStrike Falcon Data Replicator (CrowdStrike Managed AWS-S3) (using Azure Function) |
| 3.3.2 | 16-03-2026 | Update CrowdStrike API Data Connector to GA with adding rate limits to inner steps for Alerts and Detections data types |
| 3.3.1 | 05-03-2026 | Update CrowdStrike API Data Connector to fix Alerts and Detections data types |
| 3.3.0 | 26-01-2026 | Refresh CrowdStrike API Data Connector with Cases data type and multiple improvements |
| 3.2.0 | 07-01-2026 | Updated CrowdStrike Falcon Adversary Data Connector Change table name to be "ThreatIntelIndicators" instead of "ThreatIntelligenceIndicator" |
| 3.1.9 | 17-12-2025 | Updated CrowdStrike API Data Connector Enhance API configuration instructions with link |
| 3.1.8 | 08-12-2025 | Updated CrowdStrike API Data Connector to fix rate limit exceptions by introducing retry logic. |
| 3.1.7 | 12-11-2025 | Updated CrowdStrike API Data Connector to fix rate limit exceptions |
| 3.1.6 | 23-10-2025 | Updated CrowdStrike API Data Connector to fix deprecated detections API issues |
| 3.1.5 | 22-08-2025 | Updated CrowdStrike API Data Connector to fix duplicate logs issues |
| 3.1.4 | 04-07-2025 | Added new CCF Connector to the Solution CrowdStrike API Data Connector. Removed Crowdstrike Falcon Data Replicator - Function App Data Connector. Updated Connectors description. |
| 3.1.3 | 24-06-2025 | Removed "DEPRECATED" label from the Crowdstrike Falcon Data Replicator V2 - Data connector. Updated Solution description. |
| 3.1.2 | 03-06-2025 | Crowdstrike Falcon S3 CCF connector moving to GA. |
| 3.1.1 | 08-05-2025 | Added preview tag to CCP Connector. |
| 3.1.0 | 11-03-2025 | Added new CCP Data Connector to the Solution. |
| 3.0.10 | 15-01-2025 | Resolve Workbook data type dependency issue. |
| 3.0.9 | 12-11-2024 | Removed deprecated Data Connectors. |
| Updated the python runtime version to 3.11 in Data Connector Function App. | ||
| 3.0.8 | 10-07-2024 | Deprecated Data Connector. |
| 3.0.7 | 20-06-2024 | Shortlinks updated for Data Connector CrowdStrike Falcon Indicators of Compromise. |
| 3.0.6 | 06-06-2024 | Renamed Data Connector CrowdStrike Falcon Indicators of Compromise to CrowdStrike Falcon Adversary Intelligence. |
| 3.0.5 | 30-05-2024 | Added new Function App Data Connector CrowdStrike Falcon Indicators of Compromise. |
| 3.0.4 | 03-05-2024 | Fixed Parser issue for Parser name and ParentID mismatch. |
| 3.0.3 | 10-04-2024 | Added Azure Deploy button for government portal deployments. |
| 3.0.2 | 14-02-2024 | Addition of new CrowdStrike Falcon Endpoint Protection AMA Data Connector. |
| 3.0.1 | 31-01-2024 | Data Connector[Crowdstrike Falcon Data Replicator V2] globally available. |
| 3.0.0 | 28-07-2023 | New Data Connector added. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊