To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Problem with Elements Connector registration

CyberCheese
CyberCheese Member Posts: 2 Security Scout
in Linux Products

I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.

I follow this guide: https://www.withsecure.com/userguides/product.html#business/connector/latest/en/task_2BD1FB5B0D364F39A14E52BBC56BEC74-latest-en

Then I configured an API access and the event forwarding settings as explained in the guide.

After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log

"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST https://provisioning.ew1.entitlements.fsapi.com/
cpa/v1/registration
at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:183) ~[spring-webflux-5.2.24.RELE
ASE.jar:5.2.24.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST https://provisioning.ew1.entitlements.fsapi.com/cpa/v1/registration [DefaultWebClient]"

The API key has Full editing access permission and the Subscription key configured is correct.

What could be the problem?

Screenshot 2024-05-08 092544.png

Tagged:

Answers

  • JamesC
    JamesC Staff, Moderator Posts: 540 W/ Moderator

    Hi @CyberCheese ,

    Thank you for contacting WithSecure

    Can you please share with SEIM you are using ?

    Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?

  • CyberCheese
    CyberCheese Member Posts: 2 Security Scout

    Thanks for your response.

    The SIEM is Wazuh that exposed a syslog udp server.

    Screenshot 2024-05-08 115915.png


    Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
    The last note about the API configuration says:
    "Note: After you turn on event forwarding in the profile settings, the api-access.properties file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."

    But I still see the api-access.properties file and the error in the log.

    I sure that the client ID and the secret are correct because if I try to manually authenticate it works.

    This works: (same client ID and secret into the api-access.properties file)
    curl -X POST -d "grant_type=client_credentials" -d "scope=connect.api.read connect.api.write" -u "<client ID>:<secret>" https://api.connect.withsecure.com/as/token.oauth2

    and also this works: (token from the previous curl command result)
    curl -H "Authorization: Bearer <token>" https://api.connect.withsecure.com/whoami/v1/whoami

    Any idea?

  • JamesC
    JamesC Staff, Moderator Posts: 540 W/ Moderator

    Hi @CyberCheese

    For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on https://www.withsecure.com/en/support/contact-support/email-support

Categories