What Changed

New Microsoft Sentinel solution deploying a Logic App playbook that automates threat intelligence indicator synchronization between Cyren CCF feeds and CrowdStrike Falcon Custom IOC endpoints. The solution supports dual-feed architecture with optional JWT tokens for IP reputation and malware URL feeds.

Integration Architecture

Data Flow: Cyren CCF API feeds → Logic App polling (6-hour recurrence) → CrowdStrike Falcon Custom IOC API (/iocs/entities/indicators/v1)

Authentication: OAuth2 Bearer tokens for Cyren feeds; OAuth2 Client ID/Secret for CrowdStrike API access

Feed Types Supported:

  • IP reputation indicators (ip_reputation feedId)
  • Malware URL indicators (malware_urls feedId)

Deployment Configuration

The playbook requires region-specific CrowdStrike API base URLs (e.g., api.crowdstrike.com, api.us-2.crowdstrike.com) and implements persistent token pagination for reliable feed consumption. Customers can deploy with one or both Cyren feed subscriptions.

Security Impact

Enables automated IOC ingestion from Cyren threat intelligence into CrowdStrike Falcon for immediate threat blocking and detection. The 6-hour polling interval with lastSeen >= 2d filtering prevents re-pushing stale indicators while maintaining current threat coverage. This automation reduces manual IOC management overhead for SOC teams managing both platforms.

Affected Files

Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/CyrenToCrowdStrike_Playbook.json
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-basics.png
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/create-playbook-parameters.png
Solutions/Cyren-CrowdStrike-ThreatIntelligence/Playbooks/Images/playbook-template-visible.png
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_CyrenCrowdStrike.json, createUiDefinition.json, mainTemplate.json)