Problem with Elements Connector registration

CyberCheese
CyberCheese Member Posts: 2 Security Scout
in Linux Products

I need to install and configure a WithSecure Elements Connector to forward all security events to a SIEM server.
I have installed WithSecure Elements Connector in my managed environment on Linux.

I follow this guide: https://www.withsecure.com/userguides/product.html#business/connector/latest/en/task_2BD1FB5B0D364F39A14E52BBC56BEC74-latest-en

Then I configured an API access and the event forwarding settings as explained in the guide.

After starting the fsconnector service on linux server I found this error into the /var/opt/f-secure/fspms/logs/fsconnector-management.log

"08.05.2024 09:11:52,796 ERROR [c.f.f.p.m.c.PolicyReceiver] - Failed to download cosmos schema, response body: {"error":{"code":140307,"message":"Operating syst
em is not allowed for given subscription"}}org.springframework.web.reactive.function.client.WebClientResponseException$Forbidden: 403 Forbidden from POST https://provisioning.ew1.entitlements.fsapi.com/
cpa/v1/registration
at org.springframework.web.reactive.function.client.WebClientResponseException.create(WebClientResponseException.java:183) ~[spring-webflux-5.2.24.RELE
ASE.jar:5.2.24.RELEASE]
Suppressed: reactor.core.publisher.FluxOnAssembly$OnAssemblyException:
Error has been observed at the following site(s):
*__checkpoint ⇢ 403 from POST https://provisioning.ew1.entitlements.fsapi.com/cpa/v1/registration [DefaultWebClient]"

The API key has Full editing access permission and the Subscription key configured is correct.

What could be the problem?

Screenshot 2024-05-08 092544.png

Tagged:

Answers

  • JamesC
    JamesC Staff, Moderator Posts: 540 W/ Moderator

    Hi @CyberCheese ,

    Thank you for contacting WithSecure

    Can you please share with SEIM you are using ?

    Have you followed the exact steps mentioned in the user guides to configure API access, and the following information to configure event forwarding ?

  • CyberCheese
    CyberCheese Member Posts: 2 Security Scout

    Thanks for your response.

    The SIEM is Wazuh that exposed a syslog udp server.

    Screenshot 2024-05-08 115915.png


    Yes, I followed the steps in the guide. I configured an API client and enable the event forwarding (see the attachment).
    The last note about the API configuration says:
    "Note: After you turn on event forwarding in the profile settings, the api-access.properties file is deleted automatically. The API credentials are stored in an encrypted form in a secure storage."

    But I still see the api-access.properties file and the error in the log.

    I sure that the client ID and the secret are correct because if I try to manually authenticate it works.

    This works: (same client ID and secret into the api-access.properties file)
    curl -X POST -d "grant_type=client_credentials" -d "scope=connect.api.read connect.api.write" -u "<client ID>:<secret>" https://api.connect.withsecure.com/as/token.oauth2

    and also this works: (token from the previous curl command result)
    curl -H "Authorization: Bearer <token>" https://api.connect.withsecure.com/whoami/v1/whoami

    Any idea?

  • JamesC
    JamesC Staff, Moderator Posts: 540 W/ Moderator

    Hi @CyberCheese

    For us to investigate further, there is a need to check the full WSDiag logs from the Elements Connector. Thus we suggest to submit a support case to us on https://www.withsecure.com/en/support/contact-support/email-support

Categories