Problem with Elements Connector registration

CyberCheese · 2024-05-08T07:32:16+00:00

There was an error rendering this rich post.

I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.

I follow this guide: https://www.withsecure.com/userguides/product.html#business/connector/latest/en/task_2BD1FB5B0D364F39A14E52BBC56BEC74-latest-en

Then I configured an API access and the event forwarding settings as explained in the guide.

After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log

"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST https://provisioning.ew1.entitlements.fsapi.com/
cpa/v1/registration
at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:183) ~[spring-webflux-5.2.24.RELE
ASE.jar:5.2.24.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST https://provisioning.ew1.entitlements.fsapi.com/cpa/v1/registration [DefaultWebClient]"

The API key has Full editing access permission and the Subscription key configured is correct.

What could be the problem?

Find more posts tagged with

Connector

Accepted answers

All comments

JamesC

Hi @CyberCheese

For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on https://www.withsecure.com/en/support/contact-support/email-support

CyberCheese

Thanks for your response.

The SIEM is Wazuh that exposed a syslog udp server.

Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
The last note about the API configuration says:
"Note: After you turn on event forwarding in the profile settings, the api-access.properties file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."

But I still see the api-access.properties file and the error in the log.

I sure that the client ID and the secret are correct because if I try to manually authenticate it works.

This works: (same client ID and secret into the api-access.properties file)
curl -X POST -d "grant_type=client_credentials" -d "scope=connect.api.read connect.api.write" -u "<client ID>:<secret>" https://api.connect.withsecure.com/as/token.oauth2

and also this works: (token from the previous curl command result)
curl -H "Authorization: Bearer <token>" https://api.connect.withsecure.com/whoami/v1/whoami

Any idea?

JamesC

Hi @CyberCheese ,

Thank you for contacting WithSecure

Can you please share with SEIM you are using ?

Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?