search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.59k stars 3.01k forks source link

Crowdstrike analytics and workbooks do not work due to incorrect use of capitalisation referencing function CrowdstrikeFalconEventStream #9551

Closed MikeBakerSAV closed 10 months ago

MikeBakerSAV commented 11 months ago

Describe the bug Sentinel connections and workbooks for crowdstrike do not work due to incoherent use of Case when referencing "CrowdstrikeFalconEventStream" or "CrowdStrikeFalconEventStream" - note issue with "strike v Strike"

previously reported in #8028

To Reproduce Steps to reproduce the behavior: Function (lower case s)- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Parsers/CrowdstrikeFalconEventStream.yaml

https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CrowdStrike%20Falcon%20Endpoint%20Protection/Workbooks/CrowdStrikeFalconEndpointProtection.json line 120

Expected behavior use of correct and consistent CASE

github-actions[bot] commented 11 months ago

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

v-sudkharat commented 11 months ago

Hi @MikeBakerSAV, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 12-12-2023. Thanks!

v-sudkharat commented 11 months ago

Hi @MikeBakerSAV, we are working on modification, meanwhile could you please follow the below steps and check is modified function is working for you.

  1. go to LAW and search for CrowdstrikeFalconEventStream in functions - image

  2. Click on Load function code- image

  3. then click on save as a function and save the function with name - CrowdStrikeFalconEventStream image image

Once function is saved, check your sentinel connection for which you are facing issue. Thanks!

v-sudkharat commented 11 months ago

Hi @MikeBakerSAV, We are waiting for your response on above comment. Thanks!

v-sudkharat commented 10 months ago

Hi @MikeBakerSAV, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 20-12-2023 date, we will be closing this issue.
Thanks!

MikeBakerSAV commented 10 months ago

this seems to have resolved the problems for the workbook - we will check the other advanced modules for CS enrichment and see if there are other issues.

v-sudkharat commented 10 months ago

Hi @MikeBakerSAV, sure. Please check and let us know. Thanks!

v-sudkharat commented 10 months ago

Hi @MikeBakerSAV, I hope you are doing well. just want to check have you check on your advance environment? Thanks!

MikeBakerSAV commented 10 months ago

this appears to be working through our smoketests. i think you can close issue

v-sudkharat commented 10 months ago

Hi @MikeBakerSAV, thank you for your confirmation. Closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.