All Apps and Add-ons

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found.

Explorer

Getting the error below in the 1.0.3 version of the Technology Add-on for CrowdStrike.

ERROR SearchParser - The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

ERROR TsidxStats - Error in 'SearchParser': The search specifies a macro 'cs_get_index' that cannot be found. Reasons include: the macro name is misspelled, you do not have "read" permission for the macro, or the macro has not been shared with this application. Click Settings, Advanced search, Search Macros to view macro information.

0 Karma
1 Solution

Explorer

To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.

[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent

[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent

[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent

[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"

[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"

[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="

[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="

View solution in original post

Observer

Getting this in Splunk Cloud, any work arounds?

0 Karma

Explorer

To the developer please remove the macro's from TA-crowdstrike/default/eventtypes.conf.
macros.conf is normally not replicated to indexers. This is why it works in stand-alone and not with a distributed search to indexer or cluster. You can add macros to replicate to indexers in distsearch.conf, or better yet just remove the macro from eventtypes.conf as its not needed.

[crowdstrike_detection]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=DetectionSummaryEvent

[crowdstrike_authentication]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=AuthActivityAuditEvent

[crowdstrike_change]
search = sourcetype="crowdstrike:falconhost:json" metadata.eventType=UserActivityAuditEvent

[crowdstrike_action]
search = sourcetype="crowdstrike:falconhost:ar"

[crowdstrike_query_detection]
search = sourcetype="crowdstrike:falconhost:query:json" source="/detects/entities/summaries/GET/v1"

[crowdstrike_query_indicator]
search = sourcetype="crowdstrike:falconhost:query:json" source="/indicators/entities/iocs/v1?ids="

[crowdstrike_query_device]
search = sourcetype="crowdstrike:falconhost:query:json" source="/devices/entities/devices/v1?ids="

View solution in original post

Path Finder

Bug still here in 1.0.4 and breaking the ES datamodel used by Intrusion Center dashboards

My workaround on the searchHeads is to replace the macro directly by the index name of crowdstrike.

cd etc/apps/TA-crowdstrike ; mkdir -p local
sed 's/`cs_get_index`/index=crowdstrike/' default/eventtypes.conf  > local/eventtypes.conf
0 Karma

Path Finder

Weird, ran into this issue with palo_alto add-on after pushing a shcluster bundle and forcing a SH restart.

The pan_traps index was not able to be found. I just created the macro myself since and made it global but just weird how this issue appeared after the app was working fine before.

0 Karma