[CrowdStrike]: Vulnerability Data Stream Fails on Pagination Due to Expired 'after' Token #14670
Description
Integration Name
CrowdStrike [crowdstrike]
Dataset Name
crowdstrike.vulnerability
Integration Version
1.77.0
Agent Version
8.18.3
Agent Output Type
elasticsearch
Elasticsearch Version
8.18.3
OS Version and Architecture
Agentless
Software/API Version
No response
Error Message
{
"meta": {
"query_time": 0.065321854,
"pagination": {
"limit": 400,
"total": 0,
"after": ""
},
"powered_by": "spapi",
"trace_id": "<uuid>"
},
"resources": [],
"errors": [
{
"code": 404,
"message": "Search context expired, 'after' key no longer valid"
}
]
}Event Original
No response
What did you do?
The CrowdStrike vulnerability data stream is configured to collect vulnerabilities.
What did you see?
The integration fails during pagination with the error "Search context expired, 'after' key no longer valid". This happens when the time between paginated requests to the /spotlight/queries/vulnerabilities/v1 endpoint exceeds 120 seconds.
IIUC, the current implementation fetches a list of vulnerability IDs and then fetches the full details for each vulnerability, which can take longer than the token's lifetime.
What did you expect to see?
No errors.
Anything else?
The Crowdstrike documentation states this about the returned after token:
Token used with the limit parameter to manage pagination of results. On your first request, don't provide an after token. On subsequent requests, provide the after token from the previous response to continue from that place in the results.
Tokens expire 120 seconds after a call is made.