REST API Crowdstrike FDR Dashboard Error

Good morning,
I recently integrated the Crowdstrike FDR stream into my Elastic instance. The integration includes a premade dashboard called [Crowdstrike] FDR Overview. When I load the dashboard up, the data is populated as it should. However, sections of the dashboard load up with the following error:

Request error: security_exception, unable to authenticate user [] for REST request [/logs-*/_async_search?batched_reduce_size=64&wait_for_completion_timeout=100ms&keep_on_completion=true&keep_alive=604800000ms&ignore_unavailable=true&preference=1694609314833]

Every time I refresh or load the dashboard, a different panel will have this error. For example, there is a panel titled Top DNS Queries. It will sometimes load the list as normal but sometimes throw this error. I have yet to load the dashboard and have all panels populate data at the same time, at least one throws the error above.

I tried to search for the error but I could not find any reference that would tell me why the error was being thrown. If my creds were incorrect, then it shouldn't be loading any data so I am assuming there is another reason this is happening.

Does anyone have experience with this or know why this is happening? Any ideas where I might be able to find REST settings to do some troubleshooting? Thanks!

Hi @sgrubb. It sounds like your user lacks permissions to use the _async_search endpoint. The documentation shows that the _async_search endpoint is restricted to the monitoring_user role. So perhaps you need to grant that role to your user.

Thank you, I'll check on that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.