|
The symptoms of the problem are as follows:
1) Credentials (Client ID and secret) were confirmed to be correct.
2) The client ID exists on Crowdstrike.
3) The base URL is correct.
4) The following errors are found in the /opt/phoenix/log/phoenix.log when testing the connectivity:
2022-12-22T13:04:52.534821-05:00 <hostname> phDiscover[53732]: [PH_HTTP_CLIENT_GET_INIT_RESPONSE_FAILED]:[eventSeverity]=PHL_ERROR,[procName]=phDiscover,[fileName]=phHttpClient.cpp,[lineNumber]=928,[infoURL]=https://<your_URL>.crowdstrike.com/sensors/entities/datafeed/v2?appId=FSMFalconTestConn_XXXXXXXX,[phLogDetail]=Http client failed to get initial response from URL: https://<your_URL>.crowdstrike.com/sensors/entities/datafeed/v2?appId=FSMFalconTestConn_XXXXXXXX. Error response: {
...
2022-12-22T13:04:52.534840-05:00 <hostname> phDiscover[53732]: "trace_id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
2022-12-22T13:04:52.534842-05:00 <hostname> phDiscover[53732]: },
2022-12-22T13:04:52.534843-05:00 <hostname> phDiscover[53732]: "errors": [
2022-12-22T13:04:52.534845-05:00 <hostname> phDiscover[53732]: {
2022-12-22T13:04:52.534846-05:00 <hostname> phDiscover[53732]: "code": 404,
2022-12-22T13:04:52.534848-05:00 <hostname> phDiscover[53732]: "message": "resource not found"
The resource is forbidden for the device performing the connectivity test (Collector or Supervisor). Crowdstrike returns 404 Not Found instead of 403 Forbidden to hide the existence of this resource. The permissions on this resource need to be updated to allow the SIEM to pull logs from it.
|
