What Changed
The CrowdStrike API Data Connector was enhanced to support multiple domain configurations. Users can now deploy multiple instances of the connector with unique aliases to collect data from different CrowdStrike domains (e.g., production and sandbox environments).
Security Impact (Visibility & Fidelity)
This enhancement addresses a visibility gap for organizations operating multiple CrowdStrike domains or instances. Previously, deployments were limited to a single CrowdStrike instance per workspace, forcing SOC teams to choose between environments or manually manage multiple configurations.
Key improvements:
- Multi-tenancy support: Organizations can now monitor multiple CrowdStrike instances from a single Microsoft Sentinel workspace
- Environment segregation: Production and sandbox data can be ingested simultaneously with distinct connection aliases
- Data type selection: Granular control over which data types (Alerts, Cases, Detections, Hosts, Vulnerabilities) are collected per domain
Configuration Changes
The connector configuration now includes:
- Connection Alias field: Required unique identifier for each CrowdStrike instance
- Data type selector: Multi-select dropdown allowing per-connection data type configuration
- Dynamic resource naming: Connector instances use uniqueString(parameters(“friendlyName”)) to prevent naming conflicts
- Conditional deployment: Each data type poller deploys only when selected via contains(parameters(“selectedDataTypes”))
Organizations should update existing deployments to take advantage of multi-domain capabilities and ensure proper data collection coverage across all CrowdStrike environments.
Affected Files
Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_Definition.json
Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeAPI_ccp/CrowdStrikeAPI_PollingConfig.json
(packaging artefacts: 3.3.6.zip, ReleaseNotes.md, Solution_CrowdStrike.json, mainTemplate.json)