New Crowdstrike connectors#13536
Open
ericlamer wants to merge 12 commits into
Open
Conversation
Author
@microsoft-github-policy-service agree [company="Robert Half"] |
Author
microsoft-github-policy-service agree company="Robert Half" |
v-atulyadav
added
Solution
Contributor
|
Hi @ericlamer Thanks! |
Author
|
@microsoft-github-policy-service agree company="Robert Half" |
Contributor
|
Hi @ericlamer Kindly refer to the CCF folder naming conventions and follow the solution structure provided below. and kindly add the release notes. Thanks! |
Author
|
Hi,
Is there an easy way to split a template into seperate files?
Thanks.
…_______________________
Eric Lamer
Cybersecurity Architect (SIEM)
***@***.******@***.***>
Work number: 925-494-9193
[cid:4ce0647f-d6ef-419c-969d-c5697cb41ac2][cid:ab785468-274f-49a0-843e-ca66d8845cdf][cid:5cb49850-efe9-4146-9a48-d02d64448286][cid:b22d98af-9df7-4813-82c4-ed175e8e7175][cid:669dc833-b78f-45d7-a987-1a29989bee8b][cid:013d37b3-777f-4a4b-98b0-dece5388bb75]
________________________________
From: v-maheshbh ***@***.***>
Sent: Monday, February 9, 2026 2:15 AM
To: Azure/Azure-Sentinel ***@***.***>
Cc: Lamer, Eric (HQP) ***@***.***>; Mention ***@***.***>
Subject: Re: [Azure/Azure-Sentinel] New Crowdstrike connectors (PR #13536)
[https://avatars.githubusercontent.com/u/207855009?s=20&v=4]v-maheshbh left a comment (Azure/Azure-Sentinel#13536)<#13536 (comment)>
Hi @ericlamer<https://github.com/ericlamer>
Kindly refer to the CCF folder naming conventions and follow the solution structure provided below.https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Cloudflare%20CCF/Data%20Connectors/CloudflareLog_CCF
Thanks!
—
Reply to this email directly, view it on GitHub<#13536 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDLILMSRZS63O5IDXJICIT34LAXYDAVCNFSM6AAAAACTOSC6U6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQNRZG43TSMZZGQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Contributor
|
Hi @ericlamer Kindly review the above comments and refer to the solution for guidance. Thanks! |
Author
Hi, I was on vacation, will review my code and resubmit soon. Thanks. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new CrowdStrike Falcon multi-configuration codeless data connector assets (ARM templates + supporting JSON fragments and docs) for Microsoft Sentinel.
Changes:
- Added multiconfig ARM templates for CrowdStrike API connectors (Apps, Sensor, RTR Audit, and a general API bundle).
- Added standalone JSON fragments for connector definition, polling config, DCR, and table schemas.
- Added README documentation for several connectors.
Reviewed changes
Copilot reviewed 23 out of 24 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeRTRAudit_multiconfig_ccf/CrowdStrike_API_RTR_multi.json | Adds ARM template for the RTR Audit multiconfig codeless connector (definition + connections + DCR + table). |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeRTRAudit_multiconfig_ccf/CrowdStrikeRTRAudit_multiconfig_Table.json | Adds Log Analytics table schema fragment for RTR Audit. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeRTRAudit_multiconfig_ccf/CrowdStrikeRTRAudit_multiconfig_PollingConfig.json | Adds polling/dataConnector resource fragment for RTR Audit. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeRTRAudit_multiconfig_ccf/CrowdStrikeRTRAudit_multiconfig_Definition.json | Adds dataConnectorDefinitions fragment (UI/config) for RTR Audit. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdstrikeRTRAudit_multiconfig_ccf/CrowdStrikeRTRAudit_multiconfig_DCR.json | Adds DCR fragment for RTR Audit ingestion/transforms. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/README.md | Adds end-user documentation for the Sensor connector. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/CrowdStrike_API_Sensor_multi.json | Adds ARM template for the Sensor multiconfig codeless connector (definition + connections + DCR + table). |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/CrowdStrikeSensor_multiconfig_Table.json | Adds Log Analytics table schema fragment for Sensor. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/CrowdStrikeSensor_multiconfig_PollingConfig.json | Adds polling/dataConnector resource fragment for Sensor. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/CrowdStrikeSensor_multiconfig_Definition.json | Adds dataConnectorDefinitions fragment (UI/config) for Sensor. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeSensor_multiconfig_ccf/CrowdStrikeSensor_multiconfig_DCR.json | Adds DCR fragment for Sensor ingestion/transforms. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/README.md | Adds end-user documentation for the Apps connector. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/CrowdsStrikeApps_multiconfig_Table.json | Adds Log Analytics table schema fragment for Apps. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/CrowdStrike_API_Apps_multi.json | Adds ARM template for the Apps multiconfig codeless connector (definition + connections + DCR + table). |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/CrowdStrikeApps_multiconfig_PollingConfig.json | Adds polling/dataConnector resource fragment for Apps. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/CrowdStrikeApps_multiconfig_Definition.json | Adds dataConnectorDefinitions fragment (UI/config) for Apps. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeApps_multiconfig_ccf/CrowdStrikeApps_multiconfig_DCR.json | Adds DCR fragment for Apps ingestion/transforms. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/README.md | Adds end-user documentation for the bundled CrowdStrike API connector. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/CrowdStrike_API_Sensor_multi.json | Adds ARM template for a Sensor variant under the bundled API connector folder. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/CrowdStrikeAPI_multiconfig_Table.json | Adds table schema fragments for the bundled API connector tables. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/CrowdStrikeAPI_multiconfig_PollingConfig.json | Adds polling/dataConnector resource fragments for multiple data types in the bundled API connector. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/CrowdStrikeAPI_multiconfig_Definition.json | Adds dataConnectorDefinitions fragment (UI/config) for the bundled API connector. |
| Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_multiconfig_ccf/CrowdStrikeAPI_multiconfig_DCR.json | Adds DCR fragment for bundled API connector ingestion/transforms. |
v-maheshbh
reviewed
Mar 26, 2026
| @@ -0,0 +1,197 @@ | |||
| { | |||
| "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition'))]", | |||
Contributor
There was a problem hiding this comment.
Hi @ericlamer The field name and ID must remain the same. Kindly rename the name field to CrowdStrikeAPIDataConnector to ensure consistency. and please follow the same naming and structure conventions used by other CCF connectors to maintain consistency.
Contributor
|
Hi @ericlamer Kindly review the comment added in the definition file. Thanks! |
Contributor
|
Hi @ericlamer Thanks! |
Contributor
|
HI @ericlamer Kindly review the above comments and address them as applicable. Thanks! |
Contributor
|
Hi @ericlamer Kindly review the comment added in the definition file. Thanks! |
Contributor
|
Hi @ericlamer Kindly review above comments. Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: