LogRhythm API certificate error trying to download Cloud SWG logs via SyncAPI
Article ID: 229490
Updated On:
Products
Issue/Introduction
SOC reported that LogRhythm SIEM is not able to pull logs from Cloud SWG SyncAPI service.
LogRhythm support found that the connections to portal.threatpulse.net:443 are failing with error "Unable to communicate securely with peer: requested domain name does not match the server's certificate"
According to Download Audit Logs with REST API, the REST API URL references https://portal.threatpulse.net/api/rest
Manually browsing to that URL as shown below returns the same error and a certificate with only one SAN which indeed doesn't match: "DNS Name=*.threatpulse.com".
$ curl "https://portal.threatpulse.com/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:####-####-####-####-####" -H "X-APIPassword:####-####-####-####-####" -o WSS_log.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8319k 0 8319k 0 0 540k 0 --:--:-- 0:00:14 --:--:-- 785k
$ curl "https://portal.threatpulse.net/reportpod/logs/sync?startDate=0&endDate=0&token=none" -H "X-APIUsername:####-####-####-####-####" -H "X-APIPassword:####-####-####-####-####" -o WSS_log.zip
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL: no alternative certificate subject name matches target host name 'portal.threatpulse.net'
More details here: https://curl.se/docs/sslcerts.html
Environment
LogRhythm SIEM solution.
Cloud SWG SyncAPI endpoints.
Cause
SIEM client referencing wrong domain.
Documentation has been cleared to reference the portal.threatpulse.com, and not portal.threatpulse.net domain.
Resolution
Make sure that the SIEM (LogRhythm here) points to portal.threatpulse.com domain.
Feedback
