Troubleshooting CrowdStrike Intelligence collector

[ 1 Configuration errors ] [ 2 Runtime errors ] [ 3 Unable to find a scope when creating an API client ] [ 4 The current token does not have access rights to the … ] [ 5 error (401) discovering streams - access denied, invalid bearer token ] [ 6 Other errors about “discovering streams” ] [ 7 The access token does not have necessary permissions to retrieve events from CrowdStrike, status code: 403 ]

Configuration errors

Error Type	Error Id	Error Message	Cause	Solution

Error Type	Error Id	Error Message	Cause	Solution
InitVariablesError	1-2	Invalid content detected in the configuration	The `module_properties` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	3-5	Invalid content detected in the configuration	The `base_url` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	6-7	Invalid content detected in the configuration	The `override_base_url` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	8-9	Invalid content detected in the configuration	The `base_tag` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	10-11	Invalid content detected in the configuration	The `user_agent` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	12-13	Invalid content detected in the configuration	The `endpoint` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	14-15	Invalid content detected in the configuration	The `auth` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	16-17	Invalid content detected in the configuration	The `event_list` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	18-19	Invalid content detected in the configuration	The `details` settings need to have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	20-22	Invalid content detected in the configuration	The `logs_limit_in_items` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	23-24	Invalid content detected in the configuration	The `credentials` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	25-26	Invalid content detected in the configuration	The `client_id` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	27-28	Invalid content detected in the configuration	The `secret_key` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	29-31	Invalid content detected in the configuration	The `start_timestamp_in_epoch_seconds` setting does not have the right format.	Check the documentation and update the configuration accordingly
InitVariablesError	32-33	Invalid content detected in the configuration	The `unique_identifier` setting does not have the right format.	Check the documentation and update the configuration accordingly
SetupError	100	Required credentials are invalid	Required credentials are invalid	Include the proper credentials in the configuration
SetupError	101	Service not found	A declared service is not valid	Include the proper service name in the configuration
SetupError	102-103	The token has no access	The generated token cannot access a service list.	Enable the service in the Crowdstrike configuration
SetupError	104-105	The token has no access	The generated token cannot access service details.	Enable the service in the Crowdstrike configuration

Runtime errors

Error Type	Error Id	Error Message	Cause	Solution

Error Type	Error Id	Error Message	Cause	Solution
PrePullError	200	Error before pulling data	The start time is is newer than the current date	Update the configuration
PullError	300-312	Error pulling data	Error pulling data from the service	Review the error and act accordingly if required.
ApiError	400-403	API error	The API returned an error	Review the error and act accordingly if required.

Unable to find a scope when creating an API client

According to CrowdStrike, “The scopes you see when creating an API client are determined by your subscribed products and the cloud where your account is hosted.” Contact CrowdStrike sales if an additional subscription is needed.

The current token does not have access rights to the …

This warning indicates that the collector is unable to obtain data from a service.

To get a report of services that need to be fixed, query

from devo.collectors.out 
where toktains(msg,"The current token does not have access rights") 
select split(split(msg,"The current token does not have access rights to the",1),"service",0) as service
where isnotnull(service)
group by hostname, collector_name, service

In CrowdStrike, add the services to the scope of the API credentials to fix them.

error (401) discovering streams - access denied, invalid bearer token

The URL Endpoint may not be correct. The default api_url setting is api.crowdstrike.com, but yours may be different. Update the api_url parameter.

Other errors about “discovering streams”

In CrowdStrike, add “event streams” to the scope of the API credentials.

The access token does not have necessary permissions to retrieve events from CrowdStrike, status code: 403

The credentials may have been deleted within the CrowdStrike web app. Create new credentials.

Devo Additional Documentation