Merge pull request #21 from ndergal1/ndergal/feat/rename-files

Modifying readme and removing FCS occurrences

README.md

@@ -58,19 +58,19 @@ Ensure you have a CrowdStrike API client ID and client secret for Falcon Cloud S
 #### Deployment command
 
 ```sh
-az deployment mg create --name 'cs-fcs-managementgroup-deployment' --location westus \
+az deployment mg create --name 'cs-managementgroup-deployment' --location westus \
   --management-group-id $(az account show --query tenantId -o tsv) \
-  --template-file cs-fcs-deployment-managementGroup.bicep \
+  --template-file cs-deployment-managementGroup.bicep \
   --only-show-errors
 ```
 
 #### Remediate Azure Policy Assignment
 
-To enable indicators of attack (IOAs) for all the already existing subscriptions, you must remediate the **cs-ioa-assignment** Azure policy assignment manually.
+To enable indicators of attack (IOAs) for all the already existing subscriptions on Azure, you must remediate the **CrowdStrike IOA** Azure policy assignment manually.
 
 1. In the Azure portal, navigate to **Management Groups** and select the tenant root group.
 2. Go to **Governance** > **Policy** and select **Authoring** > **Assignments**.
-3. Click the **cs-ioa-assignment** assignment and then remediate the assignment by [creating a remediation task from a non-compliant policy assignment](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#option-2-create-a-remediation-task-from-a-non-compliant-policy-assignment).
+3. Click the **CrowdStrike IOA** assignment and then remediate the assignment by [creating a remediation task from a non-compliant policy assignment](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#option-2-create-a-remediation-task-from-a-non-compliant-policy-assignment).
 4. Click **Validate** to return to the cloud accounts page. Allow about two hours for the data to be available.
 
 #### Parameters
@@ -144,8 +144,8 @@ Ensure you have a CrowdStrike API client ID and client secret for Falcon Cloud S
 #### Deployment command
 
 ```sh
-az deployment sub create --name 'cs-fcs-subscription-deployment' --location westus \
-  --template-file cs-fcs-deployment-subscription.bicep \
+az deployment sub create --name 'cs-subscription-deployment' --location westus \
+  --template-file cs-deployment-subscription.bicep \
   --only-show-errors
 ```
 
@@ -193,6 +193,13 @@ When deleting the resource group _cs-ioa-group_, the Key Vault gets soft-deleted
 
 If you encounter any issues while trying to create the Key Vault, please follow [Microsoft's instruction](https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-portal#list-recover-or-purge-a-soft-deleted-key-vault) on how to recover a soft-deleted Key Vault.
 
+#### IOAs still shown as inactive for discovered subscriptions after registering an Azure management group
+
+After registering a management group and manually remediating the CrowdStrike IOA Azure policy assignment, IOAs can remain inactive for some discovered subscriptions. This can happen when the diagnostic settings are not configured in the registered subscriptions.
+
+The evaluation of the assigned Azure policy responsible for the diagnostic settings creation can take some time to properly evaluate which resources need to be remediated (See [Evaluation Triggers](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/get-compliance-data#evaluation-triggers)).
+
+Make sure that all the existing subscriptions are properly listed under [resources to remediate](https://learn.microsoft.com/en-us/azure/governance/policy/how-to/remediate-resources?tabs=azure-portal#step-2-specify-remediation-task-details) when creating the remediation tasks.
 ## Contributing
 
 If you want to develop new content or improve on this collection, please open an issue or create a pull request. All contributions are welcome!
@@ -201,8 +208,8 @@ If you want to develop new content or improve on this collection, please open an
 
 This is a community-driven, open source project aimed to register Falcon Cloud Security with Azure using Bicep. While not an official CrowdStrike product, this repository is maintained by CrowdStrike and supported in collaboration with the open source developer community.
 
-For additional information, please refer to the [SUPPORT.md](https://github.com/CrowdStrike/fcs-azure-bicep/main/SUPPORT.md) file.
+For additional information, please refer to the [SUPPORT.md](https://github.com/CrowdStrike/cs-azure-integration-bicep/main/SUPPORT.md) file.
 
 ## License Information
 
-See the [LICENSE](https://github.com/CrowdStrike/fcs-azure-bicep/main/LICENSE) for more information.
+See the [LICENSE](https://github.com/CrowdStrike/cs-azure-integration-bicep/main/LICENSE) for more information.

SECURITY.md

@@ -10,8 +10,8 @@ We have multiple avenues to receive security-related vulnerability reports.
 
 Please report suspected security vulnerabilities by:
 
-+ Submitting a [bug](https://github.com/CrowdStrike/fcs-azure-bicep/issues/new/)
-+ Submitting a [pull request](https://github.com/CrowdStrike/fcs-azure-bicep/pulls) to potentially resolve the issue
++ Submitting a [bug](https://github.com/CrowdStrike/cs-azure-integration-bicep/issues/new/)
++ Submitting a [pull request](https://github.com/CrowdStrike/cs-azure-integration-bicep/pulls) to potentially resolve the issue
 + Sending an email to __oss-security@crowdstrike.com__
 
 ## Disclosure and mitigation process
@@ -30,7 +30,7 @@ process, involving the following steps:
 
 ## Comments
 
-If you have suggestions on how this process could be improved, please let us know by [summarizing your thoughts in an issue](https://github.com/CrowdStrike/fcs-azure-bicep/issues/new/).
+If you have suggestions on how this process could be improved, please let us know by [summarizing your thoughts in an issue](https://github.com/CrowdStrike/cs-azure-integration-bicep/issues/new/).
 
 <BR/><BR/>
 

SUPPORT.md

@@ -6,7 +6,7 @@ This is a community-driven, open source project designed to register  Falcon Clo
 
 ## Issue Reporting and Questions
 
-Issues may be reported [here](https://github.com/CrowdStrike/fcs-azure-bicep/issues/new/choose) and are used to track bugs, documentation and link updates, enhancement requests and security concerns.
+Issues may be reported [here](https://github.com/CrowdStrike/cs-azure-integration-bicep/issues/new/choose) and are used to track bugs, documentation and link updates, enhancement requests and security concerns.
 
 ## Support Escalation
 

cs-fcs-deployment-managementGroup.bicep → cs-deployment-managementGroup.bicep

@@ -19,7 +19,7 @@ param targetScope string = 'ManagementGroup'
 param defaultSubscriptionId string
 
 @description('The prefix to be added to the deployment name.')
-param deploymentNamePrefix string = 'cs-fcs'
+param deploymentNamePrefix string = 'cs'
 
 @description('The suffix to be added to the deployment name.')
 param deploymentNameSuffix string = utcNow()
@@ -73,7 +73,6 @@ param location string = deployment().location
 @description('Tags to be applied to all resources.')
 param tags object = {
   'cstag-vendor': 'crowdstrike'
-  'cstag-product': 'fcs'
 }
 
 /* IOM-specific parameter */
@@ -130,7 +129,7 @@ module iomAzureManagementGroup 'modules/iom/azureManagementGroupRoleAssignment.b
   }
 }
 
-module ioaAzureSubscription 'modules/cs-fcs-ioa-deployment.bicep' = if (deployIOA && targetScope == 'ManagementGroup') {
+module ioaAzureSubscription 'modules/cs-ioa-deployment.bicep' = if (deployIOA && targetScope == 'ManagementGroup') {
   name: '${deploymentNamePrefix}-ioa-azureSubscription-${deploymentNameSuffix}'
   scope: subscription(defaultSubscriptionId) // DO NOT CHANGE
   params:{

cs-fcs-deployment-subscription.bicep → cs-deployment-subscription.bicep

@@ -16,7 +16,7 @@ targetScope = 'subscription'
 param targetScope string = 'Subscription'
 
 @description('The prefix to be added to the deployment name.')
-param deploymentNamePrefix string = 'cs-fcs'
+param deploymentNamePrefix string = 'cs'
 
 @description('The suffix to be added to the deployment name.')
 param deploymentNameSuffix string = utcNow()
@@ -73,7 +73,6 @@ param location string = deployment().location
 @description('Tags to be applied to all resources.')
 param tags object = {
   'cstag-vendor': 'crowdstrike'
-  'cstag-product': 'fcs'
 }
 
 /* IOM-specific parameter */
@@ -119,7 +118,7 @@ module iomAzureSubscription 'modules/iom/azureSubscription.bicep' = if (deployIO
   }
 }
 
-module ioaAzureSubscription 'modules/cs-fcs-ioa-deployment.bicep' = if (deployIOA && targetScope == 'Subscription') {
+module ioaAzureSubscription 'modules/cs-ioa-deployment.bicep' = if (deployIOA && targetScope == 'Subscription') {
   name: '${deploymentNamePrefix}-ioa-azureSubscription-${deploymentNameSuffix}'
   scope: subscription(defaultSubscriptionId)
   params:{

modules/cs-fcs-ioa-deployment.bicep → modules/cs-ioa-deployment.bicep

@@ -12,7 +12,7 @@ targetScope = 'subscription'
 param location string = deployment().location
 
 @description('The prefix to be added to the deployment name.')
-param deploymentNamePrefix string = 'cs-fcs-ioa'
+param deploymentNamePrefix string = 'cs-ioa'
 
 @description('The suffix to be added to the deployment name.')
 param deploymentNameSuffix string = utcNow()
@@ -23,7 +23,6 @@ param resourceGroupName string = 'cs-ioa-group' // DO NOT CHANGE - used for regi
 @description('Tags to be applied to all resources.')
 param tags object = {
   'cstag-vendor': 'crowdstrike'
-  'cstag-product': 'fcs'
 }
 
 @description('The CID for the Falcon API.')

modules/ioa/activityLogPolicy.bicep

@@ -57,7 +57,7 @@ resource csIOAPolicyAssignment 'Microsoft.Authorization/policyAssignments@2024-0
   properties: {
     assignmentType: 'Custom'
     description: 'Ensures that Activity Log data is send to CrowdStrike for Indicator of Attack (IOA) assessment.'
-    displayName: 'CrowdStrike IOA 2'
+    displayName: 'CrowdStrike IOA'
     enforcementMode: 'Default'
     policyDefinitionId: csIOAPolicyDefinition.id
     parameters: {

modules/ioa/defaultSubscription.bicep

@@ -35,7 +35,7 @@ resource setAzureDefaultSubscription 'Microsoft.Resources/deploymentScripts@2023
       }
     ]
     arguments: '-AzureTenantId ${tenant().tenantId} -AzureSubscriptionId ${subscription().subscriptionId}'
-    scriptContent: loadTextContent('../../scripts/Set-FcsAzureDefaultSubscription.ps1')
+    scriptContent: loadTextContent('../../scripts/Set-AzureDefaultSubscription.ps1')
     retentionInterval: 'PT1H'
     cleanupPreference: 'OnSuccess'
   }

modules/iom/azureAccount.bicep

@@ -49,13 +49,12 @@ param location string = resourceGroup().location
 @description('Tags to be applied to all resources.')
 param tags object = {
   'cstag-vendor': 'crowdstrike'
-  'cstag-product': 'fcs'
 }
 
 /* Resources */
 /* Register Azure account(s) in Falcon Falcon Cloud Security */
-resource fcsAzureAccount 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
-  name: 'cs-fcs-iom-${subscription().subscriptionId}'
+resource azureAccount 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
+  name: 'cs-iom-${subscription().subscriptionId}'
   location: location
   tags: tags
   kind: 'AzurePowerShell'
@@ -84,11 +83,11 @@ resource fcsAzureAccount 'Microsoft.Resources/deploymentScripts@2023-08-01' = {
       }
     ]
     arguments: '-AzureAccountType ${azureAccountType} -AzureTenantId ${tenant().tenantId} -AzureSubscriptionId ${subscription().subscriptionId} -TargetScope ${targetScope} -UseExistingAppRegistration ${useExistingAppRegistration}'
-    scriptContent: loadTextContent('../../scripts/New-FcsAzureAccount.ps1')
+    scriptContent: loadTextContent('../../scripts/New-AzureAccount.ps1')
     retentionInterval: 'PT1H'
     cleanupPreference: 'OnSuccess'
   }
 }
 
 /* Outputs */
-output azurePublicCertificate string = fcsAzureAccount.properties.outputs.public_certificate
+output azurePublicCertificate string = azureAccount.properties.outputs.public_certificate

modules/iom/azureAppRegistration.bicep

@@ -11,7 +11,7 @@ extension microsoftGraphV1
 
 /* Parameters */
 @description('Name of the Application Registration.')
-param applicationName string = 'CrowdStrikeFCS-${uniqueString(tenant().tenantId)}'
+param applicationName string = 'CrowdStrike-${uniqueString(tenant().tenantId)}'
 
 @secure()
 @description('Public certificate data.')

modules/iom/azureSubscription.bicep

@@ -16,7 +16,7 @@ extension microsoftGraphV1
 param targetScope string
 
 @description('The prefix to be added to the deployment name.')
-param deploymentNamePrefix string = 'cs-fcs-iom'
+param deploymentNamePrefix string = 'cs-iom'
 
 @description('The suffix to be added to the deployment name.')
 param deploymentNameSuffix string = utcNow()
@@ -70,7 +70,6 @@ param location string = deployment().location
 @description('Tags to be applied to all resources.')
 param tags object = {
   'cstag-vendor': 'crowdstrike'
-  'cstag-product': 'fcs'
 }
 
 /* Create Azure Resource Group for IOM resources */