Azure · SpeedyFireCyclone · Jun 16, 2026 · Jun 17, 2026
@@ -27,7 +27,7 @@
         "displayName": "Alert Event ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimAlertEvent",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n  ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n  ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n  ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n  ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAlertEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAlertEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimAlertEventEmpty,\n  ASimAlertEventBitdefenderGravityZone (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventBitdefenderGravityZone' in (DisabledParsers))), pack=pack),\n  ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),\n  ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),\n  ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))), pack=pack),\n  ASimAlertEventPaloAltoXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventPaloAltoXDR' in (DisabledParsers))), pack=pack),\n  ASimAlertEventCrowdStrikeFalcon (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCrowdStrikeFalcon' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)\n",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimAlertEventCrowdStrikeFalcon')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Alert Event ASIM parser for CrowdStrike Falcon",
+        "category": "ASIM",
+        "FunctionAlias": "ASimAlertEventCrowdStrikeFalcon",
+        "query": "let parser = (\n    disabled: bool=false,\n    pack: bool=false\n){\n    CrowdStrikeDetections\n    | where not(disabled)\n    | extend\n        EventCount = int(1),\n        EventEndTime = CreatedTimestamp,\n        EventType = \"Alert\",\n        EventProduct = \"Falcon\",\n        EventVendor = \"CrowdStrike\",\n        EventSchema = \"AlertEvent\",\n        EventSchemaVersion = \"0.1\",\n        DvcIpAddr = tostring(Device.local_ip),\n        DvcHostname = tostring(Device.hostname),\n        DvcDomain = tostring(Device.hostinfo.domain),\n        DvcDomainType = iif(isnotempty(Device.hostinfo.domain), \"FQDN\", \"\"),\n        DvcId = tostring(Device.device_id),\n        DvcIdType = iff(isnotempty(Device.device_id), \"Other\", \"\"),\n        EventProductVersion = tostring(Device.agent_version),\n        DvcOs = tostring(Device.platform_name),\n        DvcOsVersion = extract(@\"([\\d\\.]+)\", 1, tostring(Device.os_version))\n    | project-rename\n        EventStartTime = CreatedTimestamp,\n        EventOriginalUid = Id,\n        EventMessage = Description,\n        EventOriginalSeverity = SeverityName,\n        EventOriginalSubType = Scenario,\n        EventOriginalType = DetectionType,\n        EventReportUrl = FalconHostLink,\n        DvcOriginalAction = PatternDispositionDescription\n    | extend\n        AlertId = EventOriginalUid,\n        EventUid = _ItemId,\n        AlertDescription = EventMessage,\n        AlertStatus = iif(\n            Status in (\"new\", \"in_progress\"), \"Active\",\n            \"Closed\"\n        ),\n        DetectionMethod = case(\n            Objective == \"Falcon Detection Method\" and (\n                Name contains_cs \"Policy\"\n                or Name contains_cs \"CustomTemplate\"\n                or Name has_cs \"CustomerIOC\"\n            ), \"User Defined Blocked List\",\n            Objective == \"Falcon Detection Method\" and EventOriginalSubType == \"intel_detection\", \"Threat Intelligence\",\n            Objective == \"Falcon Detection Method\" and EventOriginalSubType in (\"NGAV\", \"known_malware\", \"\"), \"Antivirus\",\n            \"EDR\"\n        ),\n        EventSeverity = case(\n            EventOriginalSeverity in (\"High\", \"Critical\"), \"High\",\n            EventOriginalSeverity == \"Medium\", \"Medium\",\n            EventOriginalSeverity == \"Low\", \"Low\",\n            \"Informational\"\n        ),\n        EventSubType = iif(EventOriginalSubType == \"suspicious_activity\", \"Suspicious Activity\", \"Threat\"),\n        Rule = Name,\n        RuleNumber = toint(MitreAttack[0].pattern_id),\n        RuleName = Name,\n        RuleDescription = EventMessage,\n        ThreatName = tostring(IocContext[0].ioc_value),\n        IndicatorType = case(\n            IocContext[0].ioc_type in (\"ipv4\", \"ipv6\"), \"Ip\",\n            // IocContext[0].ioc_type == \"\", \"User\",\n            // IocContext[0].ioc_type == \"\", \"Process\",\n            // IocContext[0].ioc_type == \"\", \"Registry\",\n            // IocContext[0].ioc_type == \"\", \"Url\",\n            IocContext[0].ioc_type == \"domain\", \"Host\",\n            // IocContext[0].ioc_type == \"\", \"Cloud Resource\",\n            // IocContext[0].ioc_type == \"\", \"Application\",\n            IocContext[0].ioc_type in (\"hash_sha256\"), \"File\",\n            // IocContext[0].ioc_type == \"\", \"Email\",\n            // IocContext[0].ioc_type == \"\", \"Mailbox\",\n            // IocContext[0].ioc_type == \"\", \"Logon Session\",\n            \"\"\n        ),\n        AttackTactics = iif(TacticId startswith_cs \"TA\", Tactic, \"\"),\n        AttackTechniques = iif(TechniqueId startswith_cs \"T\", strcat(Technique, \" (\", TechniqueId, \")\"), \"\"),\n        ThreatOriginalRiskLevel = tostring(Severity),\n        ThreatOriginalConfidence = tostring(Confidence),\n        UserIdType = case(\n            isnotempty(UserId) and UserId startswith_cs \"S-\", \"SID\",\n            isnotempty(UserId), \"Other\",\n            \"\"\n        ),\n        Username = coalesce(UserPrincipal, UserName),\n        FileName = Filename,\n        FilePath = Filepath,\n        FileSHA1 = Sha1,\n        FileSHA256 = Sha256\n    | project-rename\n        AlertName = Name,\n        AlertOriginalStatus = Status,\n        ThreatRiskLevel = Severity,\n        ThreatConfidence = Confidence,\n        ProcessCommandLine = Cmdline,\n        ProcessName = Filename\n    | extend\n        UsernameType = case(\n            Username contains \"@\", \"UPN\",\n            isnotempty(Username), \"Simple\",\n            \"\"\n        ),\n        User = Username,\n        IpAddr = DvcIpAddr,\n        Hostname = DvcHostname,\n        AdditionalFields = iif(\n            pack, bag_pack(\n                \"Device\", Device,\n                \"GlobalPrevalence\", GlobalPrevalence,\n                \"GrandparentDetails\", GrandparentDetails,\n                \"LocalPrevalence\", LocalPrevalence,\n                \"ParentDetails\", ParentDetails,\n                \"PatternDispositionDetails\", PatternDispositionDetails,\n                \"Objective\", Objective\n            ),\n            dynamic(null)\n        )\n    | project\n        TimeGenerated\n        , Type\n        , AdditionalFields\n        , AlertDescription\n        , AlertId\n        , AlertName\n        , AlertOriginalStatus\n        , AlertStatus\n        // , AlertVerdict\n        // , AttackRemediationSteps\n        , AttackTactics\n        , AttackTechniques\n        , DetectionMethod\n        // , DvcAction\n        // , DvcDescription\n        , DvcDomain\n        , DvcDomainType\n        // , DvcFQDN\n        , DvcHostname\n        , DvcId\n        , DvcIdType\n        // , DvcInterface\n        , DvcIpAddr\n        // , DvcMacAddr\n        , DvcOriginalAction\n        , DvcOs\n        , DvcOsVersion\n        // , DvcScope\n        // , DvcScopeId\n        // , DvcZone\n        // , EmailMessageId\n        // , EmailSubject\n        , EventCount\n        , EventEndTime\n        , EventMessage\n        , EventOriginalSeverity\n        , EventOriginalSubType\n        , EventOriginalType\n        , EventOriginalUid\n        // , EventOwner\n        , EventProduct\n        , EventProductVersion\n        , EventReportUrl\n        //, EventResult\n        , EventSchema\n        , EventSchemaVersion\n        , EventSeverity\n        , EventStartTime\n        , EventSubType\n        , EventType\n        , EventUid\n        , EventVendor\n        //, FileMD5\n        , FileName\n        , FilePath\n        , FileSHA1\n        , FileSHA256\n        //, FileSize\n        , Hostname\n        //, IndicatorAssociation\n        , IndicatorType\n        , IpAddr\n        //, OriginalUserType\n        , ProcessCommandLine\n        //, ProcessFileCompany\n        , ProcessId\n        , ProcessName\n        // , RegistryKey\n        // , RegistryValue\n        // , RegistryValueData\n        // , RegistryValueType\n        , Rule\n        , RuleDescription\n        , RuleName\n        , RuleNumber\n        //, ThreatCategory\n        , ThreatConfidence\n        // , ThreatFirstReportedTime\n        // , ThreatId\n        // , ThreatIsActive\n        // , ThreatLastReportedTime\n        , ThreatName\n        // , ThreatOriginalCategory\n        , ThreatOriginalConfidence\n        , ThreatOriginalRiskLevel\n        , ThreatRiskLevel\n        // , Url\n        , User\n        , UserId\n        , UserIdType\n        , Username\n        , UsernameType\n        // , UserScope\n        // , UserScopeId\n        // , UserSessionId\n        // , UserType\n};\nparser(\n    pack=pack,\n    disabled=disabled\n)",
+        "version": 1,
+        "functionParameters": "disabled:bool=False,pack:bool=False"
+      }
+    }
+  ]
+}
@@ -0,0 +1,21 @@
+# CrowdStrike Falcon ASIM AlertEvent Normalization Parser
+
+ARM template for ASIM AlertEvent schema parser for CrowdStrike Falcon.
+
+This ASIM parser supports normalizing the CrowdStrike API logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AlertEvent normalization schema reference](https://aka.ms/ASimAlertEventDoc)
+
+For the changelog, see:
+- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCrowdStrikeFalcon.md)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAlertEvent%2FARM%2FASimAlertEventCrowdStrikeFalcon%2FASimAlertEventCrowdStrikeFalcon.json)
@@ -78,6 +78,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAlertEventCrowdStrikeFalcon",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/ASimAlertEventCrowdStrikeFalcon/ASimAlertEventCrowdStrikeFalcon.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -198,6 +218,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAlertEventCrowdStrikeFalcon",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAlertEvent/ARM/vimAlertEventCrowdStrikeFalcon/vimAlertEventCrowdStrikeFalcon.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",