All Apps and Add-ons

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

kevinmanson
Explorer

Getting the error below in the 1.0.3 version of the Technology Add-on for CrowdStrike.

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

ERROR TsidxStats - Error in 'SearchParser': The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

0 Karma
1 Solution

kevinmanson
Explorer

To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.

[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent

[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent

[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent

[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"

[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"

[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="

[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="

View solution in original post

gregz00
Observer

Getting this in Splunk Cloud, any work arounds?

0 Karma

kevinmanson
Explorer

To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.

[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent

[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent

[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent

[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"

[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"

[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="

[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="

FloSwiip
Path Finder

Bug still here in 1.0.4 and breaking the ES datamodel used by Intrusion Center dashboards

My workaround on the searchHeads is to replace the macro directly by the index name of crowdstrike.

cd etc/apps/TA-crowdstrike ; mkdir -p local
sed 's/`cs_get_index`/index=crowdstrike/' default/eventtypes.conf  > local/eventtypes.conf
0 Karma

Sahr_Lebbie
Path Finder

Weird, ran into this issue with palo_alto add-on after pushing a shcluster bundle and forcing a SH restart.

The pan_traps index was not able to be found. I just created the macro myself since and made it global but just weird how this issue appeared after the app was working fine before.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...