To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Problem with Elements Connector registration

Options
CyberCheese
CyberCheese W/ Member Posts: 2 Security Scout

I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.

I follow this guide: https://www.withsecure.com/userguides/product.html#business/connector/latest/en/task_2BD1FB5B0D364F39A14E52BBC56BEC74-latest-en

Then I configured an API access and the event forwarding settings as explained in the guide.

After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log

"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST https://provisioning.ew1.entitlements.fsapi.com/
cpa/v1/registration
at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:183) ~[spring-webflux-5.2.24.RELE
ASE.jar:5.2.24.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST https://provisioning.ew1.entitlements.fsapi.com/cpa/v1/registration [DefaultWebClient]"

The API key has Full editing access permission and the Subscription key configured is correct.

What could be the problem?

Tagged:

Answers

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 521 Moderator
    Options

    Hi @CyberCheese ,

    Thank you for contacting WithSecure

    Can you please share with SEIM you are using ?

    Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?

  • CyberCheese
    CyberCheese W/ Member Posts: 2 Security Scout
    Options

    Thanks for your response.

    The SIEM is Wazuh that exposed a syslog udp server.


    Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
    The last note about the API configuration says:
    "Note: After you turn on event forwarding in the profile settings, the api-access.properties file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."

    But I still see the api-access.properties file and the error in the log.

    I sure that the client ID and the secret are correct because if I try to manually authenticate it works.

    This works: (same client ID and secret into the api-access.properties file)
    curl -X POST -d "grant_type=client_credentials" -d "scope=connect.api.read connect.api.write" -u "<client ID>:<secret>" https://api.connect.withsecure.com/as/token.oauth2

    and also this works: (token from the previous curl command result)
    curl -H "Authorization: Bearer <token>" https://api.connect.withsecure.com/whoami/v1/whoami

    Any idea?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 521 Moderator
    Options

    Hi @CyberCheese

    For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on https://www.withsecure.com/en/support/contact-support/email-support