Merge pull request Azure#9348 from Azure/v-atulyadav/crowdstrike

Repackaged CrowdStrike Falcon Endpoint Protection

Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json

@@ -54,7 +54,7 @@
     "instructionSteps": [
         { 
             "title": "", 
-            "description":  "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Parsers/CrowdstrikeFalconEventStream.txt), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
+            "description":  "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias Crowd Strike Falcon Endpoint Protection and load the function code or click [here](https://aka.ms/sentinel-crowdstrikefalconendpointprotection-parser), on the second line of the query, enter the hostname(s) of your CrowdStrikeFalcon device(s) and any other unique identifiers for the logstream. The function usually takes 10-15 minutes to activate after solution installation/update.",
             "instructions": [ 
             ]    
         }, 

Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json

@@ -9,7 +9,7 @@
     "Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json"
   ],
   "Parsers": [
-    "Parsers/CrowdStrikeFalconEventStream.txt",
+    "Parsers/CrowdStrikeFalconEventStream.yaml",
     "Parsers/CrowdstrikeReplicator.yaml",
     "Parsers/CrowdStrikeReplicatorV2.yaml"
   ],
@@ -25,7 +25,7 @@
     "Playbooks/CrowdStrike_Enrichment_GetDeviceInformation/azuredeploy.json",
     "Playbooks/CrowdStrike_ContainHost/azuredeploy.json"
   ],
-  "BasePath": "C:\\Users\\demehra\\source\\repos\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection",
   "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,

Solutions/CrowdStrike Falcon Endpoint Protection/Data/system_generated_metadata.json

@@ -0,0 +1,39 @@
+{
+  "Name": "CrowdStrike Falcon Endpoint Protection",
+  "Author": "Microsoft - support@microsoft.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Data%20Connectors/Logo/crowdstrike.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "The [CrowdStrike Falcon Endpoint Protection](https://www.crowdstrike.com/products/) solution allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel, to create custom dashboards, alerts, and improve investigation. This gives you more insight into your organization's endpoints and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (Syslog)](https://docs.microsoft.com/azure/sentinel/connect-syslog)\n2. [Azure Monitor Logs: DCR-based Custom Logs](https://learn.microsoft.com/azure/azure-monitor/logs/custom-logs-overview)\n3. [Codeless Connector Platform (CCP)](https://learn.microsoft.com/azure/sentinel/create-codeless-connector?tabs=deploy-via-arm-template%2Cconnect-via-the-azure-portal)",
+  "BasePath": "C:\\Users\\demehra\\source\\repos\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1Pconnector": false,
+  "publisherId": "azuresentinel",
+  "offerId": "azure-sentinel-solution-crowdstrikefalconep",
+  "providers": [
+    "Crowdstrike"
+  ],
+  "categories": {
+    "domains": [
+      "Security - Threat Protection",
+      "Security - Automation (SOAR)"
+    ],
+    "verticals": []
+  },
+  "firstPublishDate": "2022-06-01",
+  "support": {
+    "name": "Microsoft Corporation",
+    "email": "support@microsoft.com",
+    "tier": "Microsoft",
+    "link": "https://support.microsoft.com"
+  },
+  "Data Connectors": "[\n  \"Data Connectors/CrowdstrikeReplicator/CrowdstrikeReplicator_API_FunctionApp.json\",\n  \"Data Connectors/Connector_Syslog_CrowdStrikeFalconEndpointProtection.json\",\n  \"Data Connectors/CrowdstrikeReplicatorCLv2/CrowdstrikeReplicatorV2_ConnectorUI.json\"\n]",
+  "Parsers": "[\n  \"CrowdStrikeFalconEventStream.yaml\",\n  \"CrowdstrikeReplicator.yaml\",\n  \"CrowdStrikeReplicatorV2.yaml\"\n]",
+  "Playbooks": [
+    "Playbooks/CrowdStrike_Base/azuredeploy.json",
+    "Playbooks/CrowdStrike_ContainHost/azuredeploy.json",
+    "Playbooks/CrowdStrike_Enrichment_GetDeviceInformation/azuredeploy.json"
+  ],
+  "Workbooks": "[\n  \"Workbooks/CrowdStrikeFalconEndpointProtection.json\"\n]",
+  "Analytic Rules": "[\n  \"CriticalOrHighSeverityDetectionsByUser.yaml\",\n  \"CriticalSeverityDetection.yaml\"\n]"
+}