Hardcoded API URLs in CrowdStrikeAPI CCP connector

[RealFireAU]

Describe the bug
The CrowdStrikeAPI_PollingConfig.json file in the CrowdStrike Falcon Endpoint Protection Data Connector contains multiple instances of a hardcoded URL for the API endpoint instead of referencing the parameter-supplied value. This inconsistency leads to deployment issues, specifically during multi-step polling configuration.

To Reproduce
Steps to reproduce the behavior:

1. Deploy the CrowdStrikeAPI_PollingConfig.json data connector.
2. The initial polling step functions as expected using the provided URL parameter.

SentinelHealth
| where SentinelResourceName startswith "ApiPolling-CrowdStrike"
| where Status == "Success"

3. Subsequent polling steps fail due to use of a hardcoded URL string, which does not align with the configured parameter.

SentinelHealth
| where SentinelResourceName startswith "ApiPolling-CrowdStrike"
| where Status <> "Success"

4. This results in an incorrect API call and a failure in the polling process. (can be seen in SentinelHealth table with description Data fetch failed (Call failed with status code 401 (Unauthorized): POST [REDACTED]))

Expected behavior
All polling steps should use the URL passed through the deployment parameters. This would ensure consistency, reliability, and compatibility across different environments.

Screenshots
N/A (Code reference provided below)

Code references
Incorrect (hardcoded) usage found at lines:

• Line 54
• Line 130
• Line 207
• Line 284
• Line 361

Correct usage (parameter-based URL) examples can be found at:

• Line 24
• Line 104
• Line 181
• Line 258
• Line 335

Desktop (please complete the following information):

N/A

Smartphone (please complete the following information):

N/A

Additional context

N/A

[v-tsawant]

Hi @RealFireAU , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[alexjackfish]

Hello,

I'm experiencing an issue connecting the connector, as I am using the following URL: https://api.eu-1.crowdstrike.com.

Could you please advise if there is a fix or workaround for this, or if the connector supports this regional endpoint?

Thank you in advance.

[RealFireAU]

@alexjackfish I ended up manually updating the URL's using the API as part of my testing:
using the Arm api playground

Rest API docs

Basically GET the existing config using the get request, clear out the tokenEndpointQueryParameters supply the clientid/secret again and change the api URL and then PUT the updated connector. (you'll need to do it for all the connectors Alerts/Hosts/Incidents/Detects)

After doing so took about an hour for the connector to start working.

Not Ideal as a solution but will work until the JSON for the RestApiPoller is fixed, I'm using the connector in our dev environment until it's fixed.

[v-sudkharat]

@alexjackfish / @RealFireAU, PR has been raised with corrections, the changes will get reflect in upcoming solution version. Thanks!