The Integrated Cyber Defense Exchange (ICDx) dashboard shows gaps in log retrieval from the Web Security Service (WSS) collector. Reviewing the logs shows the following:
2021-03-31 09:21:58,559 [scheduled-worker] WARN com.symantec.swss.WebSecurityServiceModule - Download failed, status code: 429, response: {
"message": "Access to api not allowed for another 54 seconds",
"error": "Too Many Requests",
}. Will retry in 55 seconds
Release : 1.4
Component : swss_col_dx
As it states in the details, the code 429 indicates that too many requests are occurring. The following quote is from the WSS API documentation:
"Broadcom recommends that customers who create multiple copies of their cloud service archive data use a single download client and multiplex the data after it is downloaded. Thus, the Web Security Service imposes the throttle across all clients of the same customer regardless of client endpoint or API Key."
The above information is from the Web Security Service: Near Real-Time Log Sync Brief found here:
SIEM integration with Web Security Service
As it states above, the WSS API throttles per customer regardless of separate API keys or connection IPs.
You must synchronize any connections to the WSS API such that the connections occur at least 5 minutes apart from each other.