{ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "author": "Data443 Risk Mitigation, Inc. - support@data443.com", "comments": "Solution template for Cyren-CrowdStrike-ThreatIntelligence" }, "parameters": { "location": { "type": "string", "minLength": 1, "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" } }, "workspace-location": { "type": "string", "defaultValue": "", "metadata": { "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" } }, "workspace": { "defaultValue": "", "type": "string", "metadata": { "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } } }, "variables": { "email": "support@data443.com", "_email": "[variables('email')]", "_solutionName": "Cyren-CrowdStrike-ThreatIntelligence", "_solutionVersion": "3.0.0", "solutionId": "data443riskmitigationinc1761580347231.azure-sentinel-solution-cyren-cs-ioc-automation", "_solutionId": "[variables('solutionId')]", "Playbooks": "Playbooks", "_Playbooks": "[variables('Playbooks')]", "blanks": "[replace('b', 'b', '')]", "playbookVersion1": "1.0.0", "playbookContentId1": "Playbooks", "_playbookContentId1": "[variables('playbookContentId1')]", "playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]", "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", "name": "[variables('playbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { "description": "pb-cyren-to-crowdstrike Playbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", "parameters": { "PlaybookName": { "type": "string", "defaultValue": "pb-cyren-to-crowdstrike" }, "Cyren_IpReputation_JwtToken": { "type": "securestring", "defaultValue": "", "metadata": { "description": "Cyren CCF JWT Bearer Token for IP Reputation feed. Leave empty if not purchased." } }, "Cyren_MalwareUrl_JwtToken": { "type": "securestring", "defaultValue": "", "metadata": { "description": "Cyren CCF JWT Bearer Token for Malware URL feed. Leave empty if not purchased." } }, "CrowdStrike_ClientId": { "type": "securestring", "defaultValue": "", "metadata": { "description": "CrowdStrike OAuth2 Client ID" } }, "CrowdStrike_ClientSecret": { "type": "securestring", "defaultValue": "", "metadata": { "description": "CrowdStrike OAuth2 Client Secret" } }, "CrowdStrike_BaseUrl": { "type": "string", "defaultValue": "", "metadata": { "description": "CrowdStrike API Base URL (e.g. https://api.crowdstrike.com or https://api.us-2.crowdstrike.com). Check your CrowdStrike region." } }, "workspace": { "type": "string", "metadata": { "description": "Workspace name for Log Analytics" } } }, "variables": { "workspaceResourceId": "[[resourceId('Microsoft.OperationalInsights/workspaces', variables('workspace-name'))]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]" }, "resources": [ { "type": "Microsoft.Logic/workflows", "apiVersion": "2019-05-01", "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", "tags": { "hidden-SentinelTemplateName": "CyrenToCrowdStrike", "hidden-SentinelTemplateVersion": "1.0.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, "properties": { "state": "Enabled", "parameters": { "Cyren_IpReputation_JwtToken": { "value": "[[parameters('Cyren_IpReputation_JwtToken')]" }, "Cyren_MalwareUrl_JwtToken": { "value": "[[parameters('Cyren_MalwareUrl_JwtToken')]" }, "CrowdStrike_ClientId": { "value": "[[parameters('CrowdStrike_ClientId')]" }, "CrowdStrike_ClientSecret": { "value": "[[parameters('CrowdStrike_ClientSecret')]" }, "CrowdStrike_BaseUrl": { "value": "[[parameters('CrowdStrike_BaseUrl')]" } }, "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { "Cyren_BaseUrl": { "type": "string", "defaultValue": "https://api-feeds.cyren.com/v1/feed/data" }, "Cyren_IpReputation_JwtToken": { "type": "securestring", "defaultValue": "[variables('blanks')]" }, "Cyren_MalwareUrl_JwtToken": { "type": "securestring", "defaultValue": "[variables('blanks')]" }, "CrowdStrike_BaseUrl": { "type": "string", "defaultValue": "[variables('blanks')]" }, "CrowdStrike_ClientId": { "type": "securestring", "defaultValue": "[variables('blanks')]" }, "CrowdStrike_ClientSecret": { "type": "securestring", "defaultValue": "[variables('blanks')]" } }, "triggers": { "Recurrence": { "type": "Recurrence", "recurrence": { "frequency": "Hour", "interval": 6, "timeZone": "UTC" } } }, "actions": { "Initialize_IpRep_PersistentToken": { "type": "InitializeVariable", "inputs": { "variables": [ { "name": "ipRepPersistentToken", "type": "string", "value": "[variables('blanks')]" } ] } }, "Initialize_MalwareUrl_PersistentToken": { "type": "InitializeVariable", "runAfter": { "Initialize_IpRep_PersistentToken": [ "Succeeded" ] }, "inputs": { "variables": [ { "name": "malwareUrlPersistentToken", "type": "string", "value": "[variables('blanks')]" } ] } }, "Initialize_IpRep_ContinuePolling": { "type": "InitializeVariable", "runAfter": { "Initialize_MalwareUrl_PersistentToken": [ "Succeeded" ] }, "inputs": { "variables": [ { "name": "ipRepContinuePolling", "type": "boolean", "value": true } ] } }, "Initialize_MalwareUrl_ContinuePolling": { "type": "InitializeVariable", "runAfter": { "Initialize_IpRep_ContinuePolling": [ "Succeeded" ] }, "inputs": { "variables": [ { "name": "malwareUrlContinuePolling", "type": "boolean", "value": true } ] } }, "Get_CrowdStrike_Token": { "type": "Http", "inputs": { "method": "POST", "uri": "@{parameters('CrowdStrike_BaseUrl')}/oauth2/token", "headers": { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "data443-cyren-crowdstrike/1.0" }, "body": "client_id=@{parameters('CrowdStrike_ClientId')}&client_secret=@{parameters('CrowdStrike_ClientSecret')}" }, "runAfter": { "Initialize_MalwareUrl_ContinuePolling": [ "Succeeded" ] } }, "Scope_IpReputation_Feed": { "type": "If", "runAfter": { "Get_CrowdStrike_Token": [ "Succeeded" ] }, "expression": { "and": [ { "not": { "equals": [ "@parameters('Cyren_IpReputation_JwtToken')", "" ] } } ] }, "actions": { "Poll_IpRep_Cyren_Feed": { "type": "Until", "expression": "@equals(variables('ipRepContinuePolling'), false)", "limit": { "count": 10, "timeout": "PT1H" }, "actions": { "Build_IpRep_Cyren_Url": { "type": "Compose", "inputs": "@{concat(parameters('Cyren_BaseUrl'), '?feedId=ip_reputation&count=1000&queryWindowInMin=360', if(equals(variables('ipRepPersistentToken'), ''), '', uriComponentToString(uri('&token=', encodeUriComponent(variables('ipRepPersistentToken'))))))}" }, "Get_IpRep_Indicators": { "type": "Http", "runAfter": { "Build_IpRep_Cyren_Url": [ "Succeeded" ] }, "inputs": { "method": "GET", "uri": "@{outputs('Build_IpRep_Cyren_Url')}", "headers": { "Authorization": "@{concat('Bearer ', parameters('Cyren_IpReputation_JwtToken'))}", "Accept": "application/json" } } }, "Split_IpRep_NDJSON": { "type": "Compose", "inputs": "@split(trim(string(body('Get_IpRep_Indicators'))), decodeUriComponent('%0A'))", "runAfter": { "Get_IpRep_Indicators": [ "Succeeded" ] } }, "Filter_IpRep_Empty_Lines": { "type": "Query", "inputs": { "from": "@outputs('Split_IpRep_NDJSON')", "where": "@not(equals(trim(item()), ''))" }, "runAfter": { "Split_IpRep_NDJSON": [ "Succeeded" ] } }, "Check_IpRep_Has_Data": { "type": "If", "expression": { "and": [ { "greater": [ "@length(body('Filter_IpRep_Empty_Lines'))", 0 ] } ] }, "runAfter": { "Filter_IpRep_Empty_Lines": [ "Succeeded" ] }, "actions": { "For_Each_IpRep_Indicator": { "type": "Foreach", "foreach": "@body('Filter_IpRep_Empty_Lines')", "runtimeConfiguration": { "concurrency": { "repetitions": 1 } }, "actions": { "Check_IpRep_LastSeen_Recent": { "type": "If", "expression": { "or": [ { "equals": [ "@coalesce(item()?['last_seen'], '')", "" ] }, { "greaterOrEquals": [ "@coalesce(item()?['last_seen'], utcNow())", "@addDays(utcNow(), -2)" ] } ] }, "actions": { "Post_IpRep_IOC_to_CrowdStrike": { "type": "Http", "inputs": { "method": "POST", "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", "headers": { "Content-Type": "application/json", "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", "User-Agent": "data443-cyren-crowdstrike/1.0" }, "body": { "indicators": [ { "type": "ipv4", "value": "@{item()?['identifier']}", "action": "detect", "severity": "medium", "source": "Cyren Threat Intelligence", "description": "Cyren ip_reputation | Risk: @{coalesce(item()?['detection']?['risk'], 'N/A')} | Last Seen: @{coalesce(item()?['last_seen'], 'N/A')}", "expiration": "@{addDays(utcNow(), 30)}", "platforms": [ "windows", "mac", "linux" ], "tags": [ "cyren", "ip_reputation" ], "applied_globally": true } ] } } } } } } } }, "else": { "actions": { "No_IpRep_Data_Stop": { "type": "SetVariable", "inputs": { "name": "ipRepContinuePolling", "value": false } } } } }, "Check_IpRep_Pagination": { "type": "If", "expression": { "and": [ { "less": [ "@length(body('Filter_IpRep_Empty_Lines'))", 1000 ] } ] }, "runAfter": { "Check_IpRep_Has_Data": [ "Succeeded" ] }, "actions": { "Extract_IpRep_Last_Offset": { "type": "Compose", "inputs": "@string(json(last(body('Filter_IpRep_Empty_Lines')))?['offset'])" }, "Update_IpRep_PersistentToken": { "type": "SetVariable", "runAfter": { "Extract_IpRep_Last_Offset": [ "Succeeded" ] }, "inputs": { "name": "ipRepPersistentToken", "value": "@{outputs('Extract_IpRep_Last_Offset')}" } } }, "else": { "actions": { "Stop_IpRep_Polling": { "type": "SetVariable", "inputs": { "name": "ipRepContinuePolling", "value": false } } } } } } } } }, "Scope_MalwareUrl_Feed": { "type": "If", "runAfter": { "Scope_IpReputation_Feed": [ "Succeeded" ] }, "expression": { "and": [ { "not": { "equals": [ "@parameters('Cyren_MalwareUrl_JwtToken')", "" ] } } ] }, "actions": { "Poll_MalwareUrl_Cyren_Feed": { "type": "Until", "expression": "@equals(variables('malwareUrlContinuePolling'), false)", "limit": { "count": 10, "timeout": "PT1H" }, "actions": { "Build_MalwareUrl_Cyren_Url": { "type": "Compose", "inputs": "@{concat(parameters('Cyren_BaseUrl'), '?feedId=malware_urls&count=1000&queryWindowInMin=360', if(equals(variables('malwareUrlPersistentToken'), ''), '', uriComponentToString(uri('&token=', encodeUriComponent(variables('malwareUrlPersistentToken'))))))}" }, "Get_MalwareUrl_Indicators": { "type": "Http", "runAfter": { "Build_MalwareUrl_Cyren_Url": [ "Succeeded" ] }, "inputs": { "method": "GET", "uri": "@{outputs('Build_MalwareUrl_Cyren_Url')}", "headers": { "Authorization": "@{concat('Bearer ', parameters('Cyren_MalwareUrl_JwtToken'))}", "Accept": "application/json" } } }, "Split_MalwareUrl_NDJSON": { "type": "Compose", "inputs": "@split(trim(string(body('Get_MalwareUrl_Indicators'))), decodeUriComponent('%0A'))", "runAfter": { "Get_MalwareUrl_Indicators": [ "Succeeded" ] } }, "Filter_MalwareUrl_Empty_Lines": { "type": "Query", "inputs": { "from": "@outputs('Split_MalwareUrl_NDJSON')", "where": "@not(equals(trim(item()), ''))" }, "runAfter": { "Split_MalwareUrl_NDJSON": [ "Succeeded" ] } }, "Check_MalwareUrl_Has_Data": { "type": "If", "expression": { "and": [ { "greater": [ "@length(body('Filter_MalwareUrl_Empty_Lines'))", 0 ] } ] }, "runAfter": { "Filter_MalwareUrl_Empty_Lines": [ "Succeeded" ] }, "actions": { "For_Each_MalwareUrl_Indicator": { "type": "Foreach", "foreach": "@body('Filter_MalwareUrl_Empty_Lines')", "runtimeConfiguration": { "concurrency": { "repetitions": 1 } }, "actions": { "Check_MalwareUrl_LastSeen_Recent": { "type": "If", "expression": { "or": [ { "equals": [ "@coalesce(item()?['last_seen'], '')", "" ] }, { "greaterOrEquals": [ "@coalesce(item()?['last_seen'], utcNow())", "@addDays(utcNow(), -2)" ] } ] }, "actions": { "Post_MalwareUrl_IOC_to_CrowdStrike": { "type": "Http", "inputs": { "method": "POST", "uri": "@{parameters('CrowdStrike_BaseUrl')}/iocs/entities/indicators/v1?ignore_warnings=true", "headers": { "Content-Type": "application/json", "Authorization": "@{concat('Bearer ', body('Get_CrowdStrike_Token')?['access_token'])}", "User-Agent": "data443-cyren-crowdstrike/1.0" }, "body": { "indicators": [ { "type": "domain", "value": "@{coalesce(item()?['url'], item()?['identifier'])}", "action": "detect", "severity": "medium", "source": "Cyren Threat Intelligence", "description": "Cyren malware_urls | Risk: @{coalesce(item()?['detection']?['risk'], 'N/A')} | Last Seen: @{coalesce(item()?['last_seen'], 'N/A')}", "expiration": "@{addDays(utcNow(), 30)}", "platforms": [ "windows", "mac", "linux" ], "tags": [ "cyren", "malware_urls" ], "applied_globally": true } ] } } } } } } } }, "else": { "actions": { "No_MalwareUrl_Data_Stop": { "type": "SetVariable", "inputs": { "name": "malwareUrlContinuePolling", "value": false } } } } }, "Check_MalwareUrl_Pagination": { "type": "If", "expression": { "and": [ { "less": [ "@length(body('Filter_MalwareUrl_Empty_Lines'))", 1000 ] } ] }, "runAfter": { "Check_MalwareUrl_Has_Data": [ "Succeeded" ] }, "actions": { "Extract_MalwareUrl_Last_Offset": { "type": "Compose", "inputs": "@string(json(last(body('Filter_MalwareUrl_Empty_Lines')))?['offset'])" }, "Update_MalwareUrl_PersistentToken": { "type": "SetVariable", "runAfter": { "Extract_MalwareUrl_Last_Offset": [ "Succeeded" ] }, "inputs": { "name": "malwareUrlPersistentToken", "value": "@{outputs('Extract_MalwareUrl_Last_Offset')}" } } }, "else": { "actions": { "Stop_MalwareUrl_Polling": { "type": "SetVariable", "inputs": { "name": "malwareUrlContinuePolling", "value": false } } } } } } } } } } } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", "properties": { "parentId": "[variables('playbookId1')]", "contentId": "[variables('_playbookContentId1')]", "kind": "Playbook", "version": "[variables('playbookVersion1')]", "source": { "kind": "Solution", "name": "Cyren-CrowdStrike-ThreatIntelligence", "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" } } } ], "metadata": { "title": "Cyren to CrowdStrike IOC Automation", "description": "This playbook fetches IP reputation and/or malware URL threat intelligence indicators from the Cyren CCF API feed and creates corresponding IOC indicators in CrowdStrike Falcon for automated threat detection and response. Customers can provide one or both Cyren feed tokens.", "prerequisites": [ "1. Cyren CCF JWT Bearer Token for IP Reputation feed (optional if not purchased)", "2. Cyren CCF JWT Bearer Token for Malware URL feed (optional if not purchased)", "3. At least one of the above tokens is required", "4. CrowdStrike OAuth2 Client ID and Client Secret", "5. CrowdStrike API Base URL" ], "postDeployment": [ "1. Provide the Cyren_IpReputation_JwtToken if you purchased the IP Reputation feed (leave empty if not).", "2. Provide the Cyren_MalwareUrl_JwtToken if you purchased the Malware URL feed (leave empty if not).", "3. Configure the CrowdStrike_ClientId, CrowdStrike_ClientSecret, and CrowdStrike_BaseUrl parameters.", "4. Enable the Logic App and verify the recurrence trigger is set to your desired interval." ], "lastUpdateTime": "2026-03-23T00:00:00Z", "tags": [ "ThreatIntelligence", "IOC", "CrowdStrike", "Cyren" ], "releaseNotes": [ { "version": "1.0.0", "title": "pb-cyren-to-crowdstrike", "notes": [ "Initial version of Cyren to CrowdStrike IOC Automation playbook with dual-feed support" ] } ] } }, "packageKind": "Solution", "packageVersion": "[variables('_solutionVersion')]", "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", "contentId": "[variables('_playbookContentId1')]", "contentKind": "Playbook", "displayName": "pb-cyren-to-crowdstrike", "contentProductId": "[variables('_playbookcontentProductId1')]", "id": "[variables('_playbookcontentProductId1')]", "version": "[variables('playbookVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { "version": "3.0.0", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Cyren-CrowdStrike-ThreatIntelligence", "publisherDisplayName": "Data443 Risk Mitigation, Inc.", "descriptionHtml": "

Note: Please refer to the following before installing the solution:

\n

• Review the solution Release Notes

\n

• There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The Cyren CrowdStrike Threat Intelligence solution polls Cyren CCF threat intelligence feeds (IP reputation, malware URLs) and pushes IOCs to CrowdStrike Falcon's Custom IOC API for detection and response.

\n

Playbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { "kind": "Solution", "name": "Cyren-CrowdStrike-ThreatIntelligence", "sourceId": "[variables('_solutionId')]" }, "author": { "name": "Data443 Risk Mitigation, Inc.", "email": "[variables('_email')]" }, "support": { "name": "Data443 Risk Mitigation, Inc.", "email": "support@data443.com", "tier": "Partner", "link": "https://www.data443.com" }, "dependencies": { "operator": "AND", "criteria": [ { "kind": "Playbook", "contentId": "[variables('_Playbooks')]", "version": "[variables('playbookVersion1')]" } ] }, "firstPublishDate": "2026-02-17", "providers": [ "Data443 Risk Mitigation, Inc.", "Cyren" ], "categories": { "domains": [ "Security - Threat Intelligence" ] } }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" } ], "outputs": {} }