All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do we fix Crowdstrike Falcon Event Streams TA error?

maxviggiano
New Member
‎10-01-2020 03:30 PM

We're receiving the error below repeatedly when trying to integrate Splunk with Crowdstrike using the provided Splunkbase add-ons. The API credentials are correct and the Crowdstrike tenant is populated with some detections and incidents. Please advise.

 

2020-10-01 18:51:36,664 DEBUG pid=7904 tid=MainThread file=connectionpool.py:_new_conn:959 | Starting new HTTPS connection (1): api.us-2.crowdstrike.com:443
2020-10-01 18:51:38,016 DEBUG pid=7904 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.us-2.crowdstrike.com:443 "POST /oauth2/token HTTP/1.1" 201 1200
2020-10-01 18:51:38,017 INFO pid=7904 tid=MainThread file=base_modinput.py:log_info:295 | Successfully retrieved OAuth2 API token
2020-10-01 18:51:38,344 DEBUG pid=7904 tid=MainThread file=connectionpool.py:_make_request:437 | https://api.us-2.crowdstrike.com:443 "GET /sensors/entities/datafeed/v2?appId=DSR9a&format=json HTTP/1.1" 404 196
2020-10-01 18:51:38,345 ERROR pid=7904 tid=MainThread file=base_modinput.py:log_error:309 | Unable to access data streams. Error Code: 404 - Error Message: resource not found
2020-10-01 18:51:38,348 ERROR pid=7904 tid=MainThread file=base_modinput.py:log_error:309 | Get error when collecting events.
Traceback (most recent call last):
File "E:\Splunk\etc\apps\TA-crowdstrike-falcon-event-streams\bin\ta_crowdstrike_falcon_event_streams\aob_py3\modinput_wrapper\base_modinput.py", line 128, in stream_events
self.collect_events(ew)
File "E:\Splunk\etc\apps\TA-crowdstrike-falcon-event-streams\bin\crowdstrike_event_streams.py", line 71, in collect_events
input_module.collect_events(self, ew)
File "E:\Splunk\etc\apps\TA-crowdstrike-falcon-event-streams\bin\input_module_crowdstrike_event_streams.py", line 346, in collect_events
crowdstrike_client()
File "E:\Splunk\etc\apps\TA-crowdstrike-falcon-event-streams\bin\input_module_crowdstrike_event_streams.py", line 234, in crowdstrike_client
num_feeds = len(response['resources'])
UnboundLocalError: local variable 'response' referenced before assignment

 

 

Labels (1)
Labels
0 Karma
Reply

jkleensang
Path Finder
‎05-26-2022 11:41 AM

Hopefully you resolved this - if so, how? 

0 Karma
Reply

alecvogelsang-d
New Member
‎10-18-2024 08:58 AM

We experienced this exact error without much of explanation. But the Add-On documentation states the following in the Troubleshooting Section:

Ensure that the Event Stream API has been enabled for the CID

The Crowdstrike API Documentation agrees and states the following for Event Streams, specifically if you're a GovCloud customer.

alecvogelsangd_0-1729266995785.png

 

After opening up a ticket with Crowdstrike and asking them to enable the event streams on our CID, the error cleared up and logs began to populate.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...