Not receiving CrowdStrike Intel Indicators events

damode — Fri, 16 Oct 2020 04:14:42 GMT

Followed this guide properly but not getting any Falcon Indicator events in Splunk and getting the following message in log file

2020-10-16 14:37:04,341 INFO pid=488 tid=MainThread file=splunk_rest_client.py:_request_handler:105 | Use HTTP connection pooling 2020-10-16 14:37:05,289 INFO pid=488 tid=MainThread file=base_modinput.py:log_info:295 | Authentication status code: 201 2020-10-16 14:37:05,289 INFO pid=488 tid=MainThread file=base_modinput.py:log_info:295 | Successfully Retrieved Authentication Token 2020-10-16 14:37:05,563 ERROR pid=488 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-crowdstrike-intel-indicators/bin/ta_crowdstrike_intel_indicators/aob_py2/modinput_wrapper/base_modinput.py", line 128, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-crowdstrike-intel-indicators/bin/crowdstrike_intel_indicators.py", line 77, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-crowdstrike-intel-indicators/bin/input_module_crowdstrike_intel_indicators.py", line 157, in collect_events indicators = intel['resources'] KeyError: 'resources'

Please advise. Thanks.

Re: Not receiving CrowdStrike Intel Indicators events

MaverickT — Fri, 22 Jan 2021 15:51:31 GMT

Which "CloudStrike cloud environment" do you have selected? In my case it didn't work until "EU Cloud" was selected. After switching to "US Commercial" it started working.

Currently using EU Cloud is not beneficiary, since all requests are (at least currently) redirected to US commercial anyway.

topic Re: Not receiving CrowdStrike Intel Indicators events in Getting Data In

Not receiving CrowdStrike Intel Indicators events

Re: Not receiving CrowdStrike Intel Indicators events