Splunk SOAR

How to fix error with access token string?

jeffminkah20
Observer

Am trying to access Crowdstrike Intel endpoint where oauth2 token is needed. When I test asset connectivity, I get below error message which I believe is due to the length of the token string. How do I fix this error ?

ERROR MESSAGE

Using provided token to authenticate
Got error: 401
2 actions failed handle_action exception occurred. Error string: ''access_token''
Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@jeffminkah20 

What version of SOAR are you on and which app specifically are you using? CrowdStrike OAUTH? ANd what version of the app?

Are you definitely putting the correct items in the correct configuration parameters in the asset? I can't see them being too long as being the issue as they would be generated by CrowdStrike and they built the app. I have also seen many customers use this app with no issues setting up. 

If you are in version 5.x of SOAR then you can access the IDE by pressing the eye symbol to the right of the app and view the code and also run the "test connectivity" action where you should be able to see a bit more verbosity output in the window below.

The error seems to relate to the code trying to grab the `access_token` key from either the REST call response or from the local state file but without more verbosity in the error message I can't pin down the code section that is actually erroring, but i suspect it's the `_get_token` function which doesn't really have a lot of moving parts which is why i think maybe the auth items (client_id & client_secret) may be either incorrect or not allowed to generate a token on the CS side?

Validate all the configuration items, then look to use the IDE to see if you can get more verbosity. You can also clone it and add some debugging statements in to see what's being calculated and what isn't. The `access_string` key seems to relate to the constant CROWDSTRIKE_OAUTH_ACCESS_TOKEN_STRING.

0 Karma

jeffminkah20
Observer

Thanks for your response. Cloning the app and debugging helped fix the error.

0 Karma

jeffminkah20
Observer

Can I please get some response on this 

0 Karma
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...