Error: 403 access denied from Crowdstrike log source

Last updated: September 3, 2024

Issue

I am getting the following error from my Crowdstrike log source:

list streams: [GET /sensors/entities/datafeed/v2][403] listAvailableStreamsOAuth2Forbidden &{Errors:[{Code:403 Message:access denied, authorization failed}] Meta:PoweredBy:crowdstrike-api-gateway QueryTime:xx-xx TraceID:xxx-xxx-xxx-xxx-xxx}}

Resolution

To resolve this issue, ensure that your API token includes theEventStream Read permission.

Screenshot 2024-07-08 at 7.48.36 AM.png

If you receive access token authentication errors, please check📄 Access token authentication error while onboarding Crowdstrike Event Streams log source in Pantherfor additional context.

Cause

This error is caused by missing theEventStreamRead permission on the API token you are using to access the Crowdstrike Event Stream API. Without these permissions, the API denies access to the requested resources, resulting in the 403 access denied error.