[ASIM] CrowdStrike Falcon AlertEvent Parser

[SpeedyFireCyclone]

Change(s):

• Add ASIM AlertEvent parser for CrowdStrike Falcon Codeless Connector

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds ASIM AlertEvent normalization support for CrowdStrike Falcon (via Codeless Connector Framework) and wires it into the existing ASIM AlertEvent “wrapper” parsers and deployment artifacts.

Changes:

• Added new CrowdStrike Falcon AlertEvent parsers (vim* and ASim*) and their ARM templates/README/changelogs.
• Registered the new parsers in the imAlertEvent and ASimAlertEvent aggregation parsers (and ARM equivalents).
• Updated full deployment ARM template to include linked deployments for the new functions.

Reviewed changes

Copilot reviewed 15 out of 16 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
Parsers/ASimAlertEvent/Parsers/vimAlertEventCrowdStrikeFalcon.yaml	New parameterized vim AlertEvent parser for CrowdStrike Falcon with filtering and packing support.
Parsers/ASimAlertEvent/Parsers/ASimAlertEventCrowdStrikeFalcon.yaml	New ASim AlertEvent parser for CrowdStrike Falcon (non-filtering wrapper variant).
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml	Registers the new vimAlertEventCrowdStrikeFalcon in the filtering union parser and bumps version.
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml	Registers the new ASimAlertEventCrowdStrikeFalcon in the union parser and bumps version.
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCrowdStrikeFalcon.md	New changelog entry for the vim parser.
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md	New changelog entry for the ASim parser.
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md	Changelog entry for adding CrowdStrike to the wrapper parser.
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md	Changelog entry for adding CrowdStrike to the wrapper parser.
Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json	ARM deployment for the new vim function.
Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/README.md	Deployment README for the new vim function.
Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json	ARM deployment for the new ASim function.
Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/README.md	Deployment README for the new ASim function.
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json	Updates wrapper ARM function query to include CrowdStrike.
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json	Updates wrapper ARM function query to include CrowdStrike.
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json	Adds linked deployments for the new CrowdStrike functions.

[SpeedyFireCyclone]

This is the current preferred format for the AttackTactics column: https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert#:~:text=Targeted-,AttackTactics

[SpeedyFireCyclone]

This is the current preferred format for the AttackTactics column: https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert#:~:text=Targeted-,AttackTactics

[Copilot]

Pull request overview

Copilot reviewed 15 out of 16 changed files in this pull request and generated 5 comments.

[yummyblabla]

It looks like Copilot is nagging a lot.
@SpeedyFireCyclone
For starters, let's resolve the KQL validation error https://github.com/Azure/Azure-Sentinel/actions/runs/27618625728/job/81662250570?pr=14488 by including CrowdStrikeDetections as a customTable under ./script/tests/kqlvalidationtests

[yummyblabla]

Missing Dvc field, can be alias from DvcIpAddr

[yummyblabla]

Something to consider:
| where (array_length(username_has_any) == 0) or UserPrincipal has_any (username_has_any) or UserName has_any (username_has_any)

at the beginning of the parser where the filters are