Solution: Cyren CrowdStrike IOC Automation (Official)#13658
Solution: Cyren CrowdStrike IOC Automation (Official)#13658mazamizo21 wants to merge 14 commits intoAzure:masterfrom
Conversation
v-shukore
added
the
New Solution
|
Hi @mazamizo21 Kindly package this as a new solution with version 3.0.0 and update the release notes accordingly. Thanks! |
|
Hi @v-maheshbh, Done — repackaged as v3.0.0 per your request. Changes made:
Please let me know if any further changes are needed. Thanks! |
|
Hi @v-maheshbh — same here, repackaged as v3.0.0 per your guidance. Ready for review when you get a chance. Thanks! |
|
Hi @mazamizo21 Kindly remove the 1.0.0 zip as it is not required and update the release notes accordingly. Thanks! |
|
Hi @v-maheshbh — done! Removed the 1.0.0 zip and updated the release notes to reflect 3.0.0 as the initial release. Thanks! |
Thanks! |
- Initial release of Cyren → CrowdStrike Falcon IOC automation connector - Logic App: polls Cyren CCF feed (NDJSON), pushes IOCs to CrowdStrike /iocs/entities/indicators/v1 - OAuth2 Bearer token auth with CrowdStrike API - User-Agent: data443-cyren-crowdstrike/1.0 on OAuth2 token + IOC POST calls - 6-hour recurrence, PersistentToken pagination, cost safety parameters - Hidden Sentinel tags for Content Hub visibility - Zip contains only mainTemplate.json + createUiDefinition.json (cert rule 300.4.1.1)
|
Hi @mazamizo21 The playbook is not visible in Content Hub. Please review and update the metadata section to ensure the playbook is correctly defined and referenced in the solution metadata and main template. 
Thanks! |
- playbookContentId1: 'Playbooks' -> 'CyrenToCrowdStrike'
- Removed spurious Playbooks/_Playbooks variables
- displayName: 'Playbooks' -> 'CyrenToCrowdStrike'
- Added missing hidden-SentinelTemplateName tag ('CyrenToCrowdStrike')
- Added missing hidden-SentinelTemplateVersion tag ('1.0')
- parentId in inner metadata: single bracket -> double bracket (ARM escape)
- Rebuilt 3.0.0.zip with fixed mainTemplate.json
|
Hi @v-maheshbh — fixed in the latest commit! Root cause: The V3 packaging tool generated a generic Changes made to
Please re-verify Content Hub visibility. Thanks! |
…Hub visibility (Azure#13658) Root cause: playbookContentId1 was "Playbooks" (generic V3 output) causing contentId mismatch. hidden-SentinelTemplateName/TemplateVersion tags were missing entirely. Changes: - playbookContentId1: "Playbooks" → "CyrenToCrowdStrike" - Added hidden-SentinelTemplateName: "CyrenToCrowdStrike" to Logic App tags - Added hidden-SentinelTemplateVersion: "1.0" to Logic App tags - description: "Playbooks Playbook..." → "CyrenToCrowdStrike Playbook..." - displayName: "Playbooks" → "CyrenToCrowdStrike" - contentId ref: _Playbooks → _playbookContentId1 (removed dangling variable ref) - Removed spurious Playbooks/_Playbooks variables - Rebuilt 3.0.0.zip
|
Hi @v-maheshbh — fixed in the latest commit (c36e81d)! Root cause identified: The V3 packaging tool set `playbookContentId1` to the generic string `"Playbooks"` and omitted `hidden-SentinelTemplateName`/`hidden-SentinelTemplateVersion` tags entirely. Content Hub could not find the playbook. Changes made to `mainTemplate.json`:
Please re-verify Content Hub visibility. Thanks! |
…aybook not visible in Content Hub (Mahesh Azure#13658)
|
Hi @v-maheshbh — fixed in this commit! Root cause (deep analysis vs TacitRed working reference): Fix applied to
Verified against TacitRed-SentinelOne (working reference):
Please re-verify Content Hub visibility. Thanks! |
…customers can now install without both tokens (Cyren-CrowdStrike (PR Azure#13658))
|
Hi @v-maheshbh — additional fix in the latest commit! Change: Optional JWT token + Azure Marketplace trial link Problem: Cyren feeds are sold as two separate SaaS offers on Azure Marketplace (IP Reputation and Malware URL). Customers who only purchase one feed were unable to install the connector because the JWT token field had an implicit required constraint — the Logic App would fail to deploy with an empty token. Fix applied:
Marketplace link added to UI: All 17/17 Content Hub visibility checks still passing. Thanks! |
…are_urls per purchased feed
…ks (IP Reputation + Malware URL)
…idate all fixes into single release
… workspace param, use workspace-name var
|
Hi @v-maheshbh — found and fixed the root cause of the playbook not appearing in Content Hub. Root cause (deeper issue): Specifically compared against
Changes in latest commit:
Please re-verify Content Hub visibility. Thanks! |
mazamizo21
force-pushed
the
feature/cyren-cs-ioc-v3.0.1
branch
from
c36e81d to
521b906
Compare
|
Hi @mazamizo21 kindly review above changes. Thanks! |
|
Hi @v-maheshbh — updated in the latest commit! The metadata section is now reflected in both the standalone playbook file and the inner template within Please re-verify and let us know if any further changes are needed. Thanks! |
3 participants
New Solution: Cyren-CrowdStrike-ThreatIntelligence v3.0.1
Overview
This solution deploys a Logic App playbook that syncs Cyren threat intelligence indicators (IP reputation and malware URLs) to CrowdStrike Falcon as IOCs for automated threat detection and blocking.
Solution Details
data443riskmitigationinc1761580347231.azure-sentinel-solution-cyren-cs-ioc-automationResources Deployed
Microsoft.Logic/workflowsFiles (9)
Package/mainTemplate.jsonPackage/createUiDefinition.jsonPackage/3.0.1.zipPackage/1.0.0.zipPlaybooks/CyrenToCrowdStrike_Playbook.jsonData/Solution_CyrenCrowdStrike.jsonSolutionMetadata.jsonReleaseNotes.mdPackage/testParameters.jsonRelationship to Existing Solutions
This is the Cyren-branded version of the existing TacitRed-IOC-CrowdStrike solution (PR #13269, merged). Both use the same Logic App architecture but connect to different threat intelligence feeds:
Partner Center
azure-sentinel-solution-cyren-cs-ioc-automationdata443riskmitigationinc1761580347231