CrowdStrike Falcon Adversary Connector - change TableName (#13402)

fuqing04 · Fuqing Wang · web-flow · commit 60793e122eac · 2026-01-09T10:36:47.000-05:00
* change tableName

* bump to v3.2.0

* bump maintemplate to v3.2.0

---------

Co-authored-by: Fuqing Wang &lt;fuqingwang@microsoft.com&gt;
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data Connectors/CrowdStrikeFalconAdversaryIntelligence/CrowdStrikeFalconAdversaryIntelligence_FunctionApp.json
@@ -7,26 +7,26 @@
         {
             "metricName": "Total data received",
             "legend": "Crowdstrike Indicators of Compromise",
-            "baseQuery": "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
+            "baseQuery": "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
         }
     ],
     "sampleQueries": [
         {
             "description": "Threat Intel - Crowdstrike Indicators of Compromise",
-            "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
+            "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
         }
     ],
     "dataTypes": [
         {
             "name": "IndicatorsOfCompromise",
-            "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+            "lastDataReceivedQuery": "ThreatIntelIndicators\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
         }
     ],
     "connectivityCriterias": [
         {
             "type": "IsConnectedQuery",
             "value": [
-                "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
+                "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
             ]
         }
     ],
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Data/Solution_CrowdStrike.json
@@ -30,7 +30,7 @@
    "azuresentinel.azure-sentinel-solution-commoneventformat"
    ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\CrowdStrike Falcon Endpoint Protection",
-  "Version": "3.1.8",
+  "Version": "3.2.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.2.0.zip b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/3.2.0.zip
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json b/Solutions/CrowdStrike Falcon Endpoint Protection/Package/mainTemplate.json
@@ -55,7 +55,7 @@
     "email": "support@microsoft.com",
     "_email": "[variables('email')]",
     "_solutionName": "CrowdStrike Falcon Endpoint Protection",
-    "_solutionVersion": "3.1.9",
+    "_solutionVersion": "3.2.0",
     "solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep",
     "_solutionId": "[variables('solutionId')]",
     "uiConfigId1": "CrowdstrikeReplicatorv2",
@@ -156,9 +156,7 @@
     "playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
     "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
     "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
-    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",
-    "stepId": "incidents_details",
-    "_stepId": "[variables('stepId')]"
+    "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
   },
   "resources": [
     {
@@ -577,26 +575,26 @@
                     {
                       "metricName": "Total data received",
                       "legend": "Crowdstrike Indicators of Compromise",
-                      "baseQuery": "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
+                      "baseQuery": "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
                     }
                   ],
                   "sampleQueries": [
                     {
                       "description": "Threat Intel - Crowdstrike Indicators of Compromise",
-                      "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
+                      "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
                     }
                   ],
                   "dataTypes": [
                     {
                       "name": "IndicatorsOfCompromise",
-                      "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+                      "lastDataReceivedQuery": "ThreatIntelIndicators\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
                     }
                   ],
                   "connectivityCriterias": [
                     {
                       "type": "IsConnectedQuery",
                       "value": [
-                        "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
+                        "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
                       ]
                     }
                   ],
@@ -769,27 +767,27 @@
             {
               "metricName": "Total data received",
               "legend": "Crowdstrike Indicators of Compromise",
-              "baseQuery": "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
+              "baseQuery": "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"
             }
           ],
           "dataTypes": [
             {
               "name": "IndicatorsOfCompromise",
-              "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
+              "lastDataReceivedQuery": "ThreatIntelIndicators\n              | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n              | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
             }
           ],
           "connectivityCriterias": [
             {
               "type": "IsConnectedQuery",
               "value": [
-                "ThreatIntelligenceIndicator\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
+                "ThreatIntelIndicators\n            | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(3d)"
               ]
             }
           ],
           "sampleQueries": [
             {
               "description": "Threat Intel - Crowdstrike Indicators of Compromise",
-              "query": "ThreatIntelligenceIndicator\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
+              "query": "ThreatIntelIndicators\n | where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n | sort by TimeGenerated desc"
             }
           ],
           "availability": {
@@ -9398,7 +9396,7 @@
                   "stepType": "Nested",
                   "nextSteps": [
                     {
-                      "stepId": "[variables('_stepId')]",
+                      "stepId": "incidents_details",
                       "stepPlaceholdersParsingKql": "source | project res = parse_json(data) | project resources = res['resources'] | mvexpand resources | project Url_PlaceHolder = resources"
                     }
                   ]
@@ -10134,52 +10132,52 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "CefAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CefAma"
                   }
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "AccountCustomEntity"
+                        "columnName": "AccountCustomEntity",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "HostCustomEntity"
+                        "columnName": "HostCustomEntity",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
-                        "identifier": "Algorithm",
-                        "columnName": "FileHashAlgo"
+                        "columnName": "FileHashAlgo",
+                        "identifier": "Algorithm"
                       },
                       {
-                        "identifier": "Value",
-                        "columnName": "FileHashCustomEntity"
+                        "columnName": "FileHashCustomEntity",
+                        "identifier": "Value"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
@@ -10263,52 +10261,52 @@
                 "status": "Available",
                 "requiredDataConnectors": [
                   {
-                    "connectorId": "CefAma",
                     "dataTypes": [
                       "CommonSecurityLog"
-                    ]
+                    ],
+                    "connectorId": "CefAma"
                   }
                 ],
                 "entityMappings": [
                   {
+                    "entityType": "Account",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "AccountCustomEntity"
+                        "columnName": "AccountCustomEntity",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Account"
+                    ]
                   },
                   {
+                    "entityType": "Host",
                     "fieldMappings": [
                       {
-                        "identifier": "FullName",
-                        "columnName": "HostCustomEntity"
+                        "columnName": "HostCustomEntity",
+                        "identifier": "FullName"
                       }
-                    ],
-                    "entityType": "Host"
+                    ]
                   },
                   {
+                    "entityType": "IP",
                     "fieldMappings": [
                       {
-                        "identifier": "Address",
-                        "columnName": "IPCustomEntity"
+                        "columnName": "IPCustomEntity",
+                        "identifier": "Address"
                       }
-                    ],
-                    "entityType": "IP"
+                    ]
                   },
                   {
+                    "entityType": "FileHash",
                     "fieldMappings": [
                       {
-                        "identifier": "Algorithm",
-                        "columnName": "FileHashAlgo"
+                        "columnName": "FileHashAlgo",
+                        "identifier": "Algorithm"
                       },
                       {
-                        "identifier": "Value",
-                        "columnName": "FileHashCustomEntity"
+                        "columnName": "FileHashCustomEntity",
+                        "identifier": "Value"
                       }
-                    ],
-                    "entityType": "FileHash"
+                    ]
                   }
                 ]
               }
diff --git a/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md b/Solutions/CrowdStrike Falcon Endpoint Protection/ReleaseNotes.md
@@ -1,5 +1,6 @@
 | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History**                                                             |
 |-------------|--------------------------------|--------------------------------------------------------------------------------|
+| 3.2.0       | 07-01-2026                     | Updated *CrowdStrike Falcon Adversary Data Connector* Change table name to be "ThreatIntelIndicators" instead of "ThreatIntelligenceIndicator" |
 | 3.1.9       | 17-12-2025                     | Updated *CrowdStrike API Data Connector* Enhance API configuration instructions with link |
 | 3.1.8       | 08-12-2025                     | Updated *CrowdStrike API Data Connector* to fix rate limit exceptions by introducing retry logic. |
 | 3.1.7       | 12-11-2025                     | Updated *CrowdStrike API Data Connector* to fix rate limit exceptions |

Original file line number	Diff line number	Diff line change
`@@ -7,26 +7,26 @@`
`7`	`7`	`{`
`8`	`8`	`"metricName": "Total data received",`
`9`	`9`	`"legend": "Crowdstrike Indicators of Compromise",`
`10`		`- "baseQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
	`10`	`+ "baseQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
`11`	`11`	`}`
`12`	`12`	`],`
`13`	`13`	`"sampleQueries": [`
`14`	`14`	`{`
`15`	`15`	`"description": "Threat Intel - Crowdstrike Indicators of Compromise",`
`16`		`- "query": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
	`16`	`+ "query": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
`17`	`17`	`}`
`18`	`18`	`],`
`19`	`19`	`"dataTypes": [`
`20`	`20`	`{`
`21`	`21`	`"name": "IndicatorsOfCompromise",`
`22`		`- "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
	`22`	`+ "lastDataReceivedQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
`23`	`23`	`}`
`24`	`24`	`],`
`25`	`25`	`"connectivityCriterias": [`
`26`	`26`	`{`
`27`	`27`	`"type": "IsConnectedQuery",`
`28`	`28`	`"value": [`
`29`		`- "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
	`29`	`+ "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`30`	`30`	`]`
`31`	`31`	`}`
`32`	`32`	`],`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@`
`55`	`55`	`"email": "support@microsoft.com",`
`56`	`56`	`"_email": "[variables('email')]",`
`57`	`57`	`"_solutionName": "CrowdStrike Falcon Endpoint Protection",`
`58`		`- "_solutionVersion": "3.1.9",`
	`58`	`+ "_solutionVersion": "3.2.0",`
`59`	`59`	`"solutionId": "azuresentinel.azure-sentinel-solution-crowdstrikefalconep",`
`60`	`60`	`"_solutionId": "[variables('solutionId')]",`
`61`	`61`	`"uiConfigId1": "CrowdstrikeReplicatorv2",`
`@@ -156,9 +156,7 @@`
`156`	`156`	`"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",`
`157`	`157`	`"playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",`
`158`	`158`	`"_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",`
`159`		`- "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]",`
`160`		`- "stepId": "incidents_details",`
`161`		`- "_stepId": "[variables('stepId')]"`
	`159`	`+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"`
`162`	`160`	`},`
`163`	`161`	`"resources": [`
`164`	`162`	`{`
`@@ -577,26 +575,26 @@`
`577`	`575`	`{`
`578`	`576`	`"metricName": "Total data received",`
`579`	`577`	`"legend": "Crowdstrike Indicators of Compromise",`
`580`		`- "baseQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
	`578`	`+ "baseQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
`581`	`579`	`}`
`582`	`580`	`],`
`583`	`581`	`"sampleQueries": [`
`584`	`582`	`{`
`585`	`583`	`"description": "Threat Intel - Crowdstrike Indicators of Compromise",`
`586`		`- "query": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
	`584`	`+ "query": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
`587`	`585`	`}`
`588`	`586`	`],`
`589`	`587`	`"dataTypes": [`
`590`	`588`	`{`
`591`	`589`	`"name": "IndicatorsOfCompromise",`
`592`		`- "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
	`590`	`+ "lastDataReceivedQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
`593`	`591`	`}`
`594`	`592`	`],`
`595`	`593`	`"connectivityCriterias": [`
`596`	`594`	`{`
`597`	`595`	`"type": "IsConnectedQuery",`
`598`	`596`	`"value": [`
`599`		`- "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
	`597`	`+ "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`600`	`598`	`]`
`601`	`599`	`}`
`602`	`600`	`],`
`@@ -769,27 +767,27 @@`
`769`	`767`	`{`
`770`	`768`	`"metricName": "Total data received",`
`771`	`769`	`"legend": "Crowdstrike Indicators of Compromise",`
`772`		`- "baseQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
	`770`	`+ "baseQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'"`
`773`	`771`	`}`
`774`	`772`	`],`
`775`	`773`	`"dataTypes": [`
`776`	`774`	`{`
`777`	`775`	`"name": "IndicatorsOfCompromise",`
`778`		`- "lastDataReceivedQuery": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
	`776`	`+ "lastDataReceivedQuery": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize Time = max(TimeGenerated)\n \| where isnotempty(Time)"`
`779`	`777`	`}`
`780`	`778`	`],`
`781`	`779`	`"connectivityCriterias": [`
`782`	`780`	`{`
`783`	`781`	`"type": "IsConnectedQuery",`
`784`	`782`	`"value": [`
`785`		`- "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
	`783`	`+ "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| summarize LastLogReceived = max(TimeGenerated)\n \| project IsConnected = LastLogReceived > ago(3d)"`
`786`	`784`	`]`
`787`	`785`	`}`
`788`	`786`	`],`
`789`	`787`	`"sampleQueries": [`
`790`	`788`	`{`
`791`	`789`	`"description": "Threat Intel - Crowdstrike Indicators of Compromise",`
`792`		`- "query": "ThreatIntelligenceIndicator\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
	`790`	`+ "query": "ThreatIntelIndicators\n \| where SourceSystem == 'CrowdStrike Falcon Adversary Intelligence'\n \| sort by TimeGenerated desc"`
`793`	`791`	`}`
`794`	`792`	`],`
`795`	`793`	`"availability": {`
`@@ -9398,7 +9396,7 @@`
`9398`	`9396`	`"stepType": "Nested",`
`9399`	`9397`	`"nextSteps": [`
`9400`	`9398`	`{`
`9401`		`- "stepId": "[variables('_stepId')]",`
	`9399`	`+ "stepId": "incidents_details",`
`9402`	`9400`	`"stepPlaceholdersParsingKql": "source \| project res = parse_json(data) \| project resources = res['resources'] \| mvexpand resources \| project Url_PlaceHolder = resources"`
`9403`	`9401`	`}`
`9404`	`9402`	`]`
`@@ -10134,52 +10132,52 @@`
`10134`	`10132`	`"status": "Available",`
`10135`	`10133`	`"requiredDataConnectors": [`
`10136`	`10134`	`{`
`10137`		`- "connectorId": "CefAma",`
`10138`	`10135`	`"dataTypes": [`
`10139`	`10136`	`"CommonSecurityLog"`
`10140`		`- ]`
	`10137`	`+ ],`
	`10138`	`+ "connectorId": "CefAma"`
`10141`	`10139`	`}`
`10142`	`10140`	`],`
`10143`	`10141`	`"entityMappings": [`
`10144`	`10142`	`{`
	`10143`	`+ "entityType": "Account",`
`10145`	`10144`	`"fieldMappings": [`
`10146`	`10145`	`{`
`10147`		`- "identifier": "FullName",`
`10148`		`- "columnName": "AccountCustomEntity"`
	`10146`	`+ "columnName": "AccountCustomEntity",`
	`10147`	`+ "identifier": "FullName"`
`10149`	`10148`	`}`
`10150`		`- ],`
`10151`		`- "entityType": "Account"`
	`10149`	`+ ]`
`10152`	`10150`	`},`
`10153`	`10151`	`{`
	`10152`	`+ "entityType": "Host",`
`10154`	`10153`	`"fieldMappings": [`
`10155`	`10154`	`{`
`10156`		`- "identifier": "FullName",`
`10157`		`- "columnName": "HostCustomEntity"`
	`10155`	`+ "columnName": "HostCustomEntity",`
	`10156`	`+ "identifier": "FullName"`
`10158`	`10157`	`}`
`10159`		`- ],`
`10160`		`- "entityType": "Host"`
	`10158`	`+ ]`
`10161`	`10159`	`},`
`10162`	`10160`	`{`
	`10161`	`+ "entityType": "IP",`
`10163`	`10162`	`"fieldMappings": [`
`10164`	`10163`	`{`
`10165`		`- "identifier": "Address",`
`10166`		`- "columnName": "IPCustomEntity"`
	`10164`	`+ "columnName": "IPCustomEntity",`
	`10165`	`+ "identifier": "Address"`
`10167`	`10166`	`}`
`10168`		`- ],`
`10169`		`- "entityType": "IP"`
	`10167`	`+ ]`
`10170`	`10168`	`},`
`10171`	`10169`	`{`
	`10170`	`+ "entityType": "FileHash",`
`10172`	`10171`	`"fieldMappings": [`
`10173`	`10172`	`{`
`10174`		`- "identifier": "Algorithm",`
`10175`		`- "columnName": "FileHashAlgo"`
	`10173`	`+ "columnName": "FileHashAlgo",`
	`10174`	`+ "identifier": "Algorithm"`
`10176`	`10175`	`},`
`10177`	`10176`	`{`
`10178`		`- "identifier": "Value",`
`10179`		`- "columnName": "FileHashCustomEntity"`
	`10177`	`+ "columnName": "FileHashCustomEntity",`
	`10178`	`+ "identifier": "Value"`
`10180`	`10179`	`}`
`10181`		`- ],`
`10182`		`- "entityType": "FileHash"`
	`10180`	`+ ]`
`10183`	`10181`	`}`
`10184`	`10182`	`]`
`10185`	`10183`	`}`
`@@ -10263,52 +10261,52 @@`
`10263`	`10261`	`"status": "Available",`
`10264`	`10262`	`"requiredDataConnectors": [`
`10265`	`10263`	`{`
`10266`		`- "connectorId": "CefAma",`
`10267`	`10264`	`"dataTypes": [`
`10268`	`10265`	`"CommonSecurityLog"`
`10269`		`- ]`
	`10266`	`+ ],`
	`10267`	`+ "connectorId": "CefAma"`
`10270`	`10268`	`}`
`10271`	`10269`	`],`
`10272`	`10270`	`"entityMappings": [`
`10273`	`10271`	`{`
	`10272`	`+ "entityType": "Account",`
`10274`	`10273`	`"fieldMappings": [`
`10275`	`10274`	`{`
`10276`		`- "identifier": "FullName",`
`10277`		`- "columnName": "AccountCustomEntity"`
	`10275`	`+ "columnName": "AccountCustomEntity",`
	`10276`	`+ "identifier": "FullName"`
`10278`	`10277`	`}`
`10279`		`- ],`
`10280`		`- "entityType": "Account"`
	`10278`	`+ ]`
`10281`	`10279`	`},`
`10282`	`10280`	`{`
	`10281`	`+ "entityType": "Host",`
`10283`	`10282`	`"fieldMappings": [`
`10284`	`10283`	`{`
`10285`		`- "identifier": "FullName",`
`10286`		`- "columnName": "HostCustomEntity"`
	`10284`	`+ "columnName": "HostCustomEntity",`
	`10285`	`+ "identifier": "FullName"`
`10287`	`10286`	`}`
`10288`		`- ],`
`10289`		`- "entityType": "Host"`
	`10287`	`+ ]`
`10290`	`10288`	`},`
`10291`	`10289`	`{`
	`10290`	`+ "entityType": "IP",`
`10292`	`10291`	`"fieldMappings": [`
`10293`	`10292`	`{`
`10294`		`- "identifier": "Address",`
`10295`		`- "columnName": "IPCustomEntity"`
	`10293`	`+ "columnName": "IPCustomEntity",`
	`10294`	`+ "identifier": "Address"`
`10296`	`10295`	`}`
`10297`		`- ],`
`10298`		`- "entityType": "IP"`
	`10296`	`+ ]`
`10299`	`10297`	`},`
`10300`	`10298`	`{`
	`10299`	`+ "entityType": "FileHash",`
`10301`	`10300`	`"fieldMappings": [`
`10302`	`10301`	`{`
`10303`		`- "identifier": "Algorithm",`
`10304`		`- "columnName": "FileHashAlgo"`
	`10302`	`+ "columnName": "FileHashAlgo",`
	`10303`	`+ "identifier": "Algorithm"`
`10305`	`10304`	`},`
`10306`	`10305`	`{`
`10307`		`- "identifier": "Value",`
`10308`		`- "columnName": "FileHashCustomEntity"`
	`10306`	`+ "columnName": "FileHashCustomEntity",`
	`10307`	`+ "identifier": "Value"`
`10309`	`10308`	`}`
`10310`		`- ],`
`10311`		`- "entityType": "FileHash"`
	`10309`	`+ ]`
`10312`	`10310`	`}`
`10313`	`10311`	`]`
`10314`	`10312`	`}`