What Changed
New Microsoft Sentinel solution deploying a Logic App playbook that automates threat intelligence indicator synchronization between Cyren CCF feeds and CrowdStrike Falcon Custom IOC endpoints. The solution supports dual-feed architecture with optional JWT tokens for IP reputation and malware URL feeds.
Integration Architecture
Data Flow: Cyren CCF API feeds → Logic App polling (6-hour recurrence) → CrowdStrike Falcon Custom IOC API (/iocs/entities/indicators/v1)
Authentication: OAuth2 Bearer tokens for Cyren feeds; OAuth2 Client ID/Secret for CrowdStrike API access
Feed Types Supported:
- IP reputation indicators (ip_reputation feedId)
- Malware URL indicators (malware_urls feedId)
Deployment Configuration
The playbook requires region-specific CrowdStrike API base URLs (e.g., api.crowdstrike.com, api.us-2.crowdstrike.com) and implements persistent token pagination for reliable feed consumption. Customers can deploy with one or both Cyren feed subscriptions.
Security Impact
Enables automated IOC ingestion from Cyren threat intelligence into CrowdStrike Falcon for immediate threat blocking and detection. The 6-hour polling interval with lastSeen >= 2d filtering prevents re-pushing stale indicators while maintaining current threat coverage. This automation reduces manual IOC management overhead for SOC teams managing both platforms.
Affected Files
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/CyrenToCrowdStrike_Playbook.json
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-basics.png
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-parameters.png
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-template-visible.png
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenCrowdStrike.json, createUiDefinition.json, mainTemplate.json)