Why am I receiving a 403 forbidden error on my HMAC authenticated CrowdStrike Falcon alerts?
Issue
I created my HTTP Source with HMAC authentication for CrowdStrike Falcon alerts but am receiving a 403 error.
Resolution
HMAC authentication is not currently supported for this integration. Although it is less secure, a workaround is to use Shared secret authentication for your log source, with the key/value being x-cs-signature-algorithm: HmacSHA256
.
Cause
HMAC authentication is not currently supported for this integration, as CrowdStrike includes a custom header that we don't support yet.