Skip to content

Fix: Handle missing indicator scope permission gracefully in CrowdStrike Report Connector #5479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
narenvivek wants to merge 3 commits into from
Closed

Fix: Handle missing indicator scope permission gracefully in CrowdStrike Report Connector #5479

narenvivek wants to merge 3 commits into from
+43 −5

Conversation

@narenvivek
Copy link

@narenvivek narenvivek commented Dec 25, 2025
edited
Loading

Problem

CrowdStrike connector crashes with KeyError: 'resources' when users lack the "indicator" API scope, preventing import of reports and actors.

Root Cause

API returns a 403 error response without a "resources" field, but code tried to access it directly without validation.

Solution

  • Added defensive check for response structure before accessing 'resources'
  • Handle 403 errors gracefully with warnings instead of crashing
  • Changed 403 logging from ERROR to WARNING level
  • Applied Black formatting

Testing

  • ✅ Actors imported successfully
  • ✅ Reports imported successfully
  • ✅ No KeyError crashes
  • ✅ Backward compatible

Impact

  • Fixes crash for users without "indicator" scope
  • No breaking changes
  • No configuration changes needed

Proposed changes

Related issues

Checklist

  • I consider the submitted work as finished
  • I have signed my commits using GPG key.
  • I tested the code for its functionality using different use cases
  • I added/update the relevant documentation (either on github or on notion)
  • Where necessary I refactored code to improve the overall quality

Further comments

@warp-agent
Fix: Handle missing indicator scope permission gracefully in CrowdStr…
8588a47 
…ike report importer

- Add defensive check for API response structure before accessing 'resources' field
- Log warning and continue report import when indicator scope is not permitted (403)
- Allows reports to import successfully even without indicator scope access
- Fixes KeyError crash when users lack indicator scope in API credentials

Co-Authored-By: Warp <agent@warp.dev>
narenvivek and others added 2 commits December 25, 2025 06:56
@warp-agent
Fix: Reduce error log level for 403 permission errors in CrowdStrike …
30877ca 
…API client

- Change 403 (permission denied) errors from ERROR to WARNING level
- Prevents misleading error logs when scope is not permitted
- 403 errors are now handled gracefully in the connector logic
- Other 4xx/5xx errors remain at ERROR level for visibility

Co-Authored-By: Warp <agent@warp.dev>
@warp-agent
Style: Apply Black code formatting
d18b776 
Co-Authored-By: Warp <agent@warp.dev>
@narenvivek narenvivek mentioned this pull request Jan 8, 2026
Open
5 tasks
@narenvivek
Copy link
Author

narenvivek commented Jan 8, 2026

Closing this PR in favor of #5577, which follows the proper naming conventions ([connector_name] format) and has GPG-signed commits as required by the project guidelines.

@narenvivek narenvivek closed this Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@narenvivek narenvivek

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@narenvivek